On the other hand, NIST recommends that application builders make their users re-authenticate every 12 hours and terminate sessions after 30 minutes of inactivity. For intermittent re-authentication, that session termination time shrinks to 2 minutes.
- How long should a session timeout be?
- What is the recommended security setting for session timeout?
- What is NIST Special Publication 800 63B?
- What is the default session timeout?
How long should a session timeout be?
Typical session timeouts are 15- to 45-minute durations depending on the sensitivity of the data that may be exposed. As the session timeout is approaching, offer users a warning and give them an opportunity to stay logged in.
What is the recommended security setting for session timeout?
Configure Session Timeout Settings
For portal users, even though the actual timeout is between 10 minutes and 24 hours, you can only select a value between 15 minutes and 24 hours. If you want to enforce stricter security for sensitive information, choose a shorter timeout period.
What is NIST Special Publication 800 63B?
NIST Special Publication (SP) 800-63B provides requirements, recommendations, and guidance for the use of memorized secrets (i.e., PINs, passwords) in authentication of digital identity. This guidance for memorized secrets is exclusively for human users.
What is the default session timeout?
The default is 10 minutes. Session. Timeout has no hard-coded limit. Most Web administrators set this property to 8 minutes.