Speaker: Kishore Gangwani, Architect (Application Security), CVS Health
Date: Thursday, June 23, 2022
Location: Denver, CO

Description: An application can improve user experience by creating long-lived user sessions and avoiding asking users to log in frequently. This is particularly true for applications that do not use low-friction login like FIDO-based flows. As an example, a user can log in once into a web application in a browser and access the application for days, weeks, or months without authenticating again. Access is maintained even after closing and re-opening the browser. However, long lived-sessions increase the time window for attackers to hijack session credentials (tokens, cookies, etc.) amplifying the risks and reducing application security. This session will discuss some ways in which applications can mitigate the increased risks if the applications implement long-lived sessions, and, as a result, reduce friction in user experience without compromising on security.