Over that past few years supporting applications, I've received multiple requests to not timeout (either at all or less frequently). From a user's perspective, it's frustrating. You get up for a cup of coffee between work and get distracted by a quick conversation or the ding of email. You come back to the application, click, and you're required to log in again. There's a number of standards for the length of login timeouts, but everyone has their own opinion and each industry has different specific requirements.
First off, a timeout is just something that happens which forces someone to identify themselves again to the application after a certain period of inactivity. This is normal, though many sites (generally social networks and communities), but everyone has their own opinion about it. Requests range from "it should never time me out - I'll tell you when I'm ready to log out" to "can you just increase it to 30 minutes?".
Timeouts are one of many security measures developers implement to protect sensitive user, client, and business data your Web app uses. Depending on the sensitivity of that information, the timeout could be as short as 10 minutes or as long as 1-2 hours. Most Web apps time out after 15-30 minutes - similar to company policies with workstations. There are many different guidelines on proper timeout based on the security needs of the application. In general, the Council on Cybersecurity, ISO, and CERT provide the best answer. This must be a discussion that takes place during the planning process. How sensitive is the information you're going to be storing? This becomes more complicated when your application provides a platform that many different organizations will use, each with different cultures and security protocols.
If you're crafting a Web or mobile app platform, make sure you have this discussion. If you're not sure you have the correct settings, contact us and we can assist you in finding out if your application is inline with best practices. Here's a brief overview of several guidelines to help you decide if you need to address how quickly you log your users out:
- A U.S. Presidential Memorandum on the protection of sensitive agency information, and the guidelines for several U.S. agencies guidelines, require re-authorization after 30 minutes of inactivity.
- The PCI-DSS standard (which governs credit card security) requires 15 minutes or less.
- The Australian Department of Defence and the National Institute of Standards & Technology both recommend timing out in 15 minutes or less for remote access (which includes Web and mobile apps).
- The ISO, Council on Cybersecurity, and CERT are all much more vague and recommend settings inline with corresponding risk and organizational culture.