The importance of balancing app user experience and security cannot be overstated. In today's digital landscape, it is crucial to provide users with seamless and secure experiences that keep them coming back to your application. But how do you achieve this delicate balance? The Open Web Application Security Project (OWASP) and the National Institute of Standards and Technology (NIST) offer valuable guidelines on session security, but ultimately, the key lies in understanding your customers' needs and habits.
While OWASP recommends implementing short idle time outs for high-risk applications, NIST suggests re-authenticating users every 12 hours and terminating sessions after 30 minutes of inactivity. These guidelines provide a solid foundation for securing user sessions, but it is equally important to consider the impact on app user experience. A tedious authentication process can exhaust customers and discourage them from using your application.
Auth0 offers a feature called long-lived sessions that allows you to offset the cost of implementing a secure user experience around authentication. This feature enables businesses to provide users with the convenience of checking their email sporadically without having to face repetitive login prompts. Imagine how tedious it would be if you had to log in every time you go idle for more than two minutes.
For media companies, like Alma Media, customers may visit their site infrequently. Registered users often visit media sites every two weeks to consume content. Returning users who face the hassle of signing back in may opt to stop visiting the site. For a media company, losing its audience means losing ad revenue, since clicks generate payments on ads.
Some businesses offer essential services that require customers to access their application regularly. In these cases, users may not have the option to leave the site, but they may still become vocal about their dissatisfaction with the user experience on social media or review channels. For example, a utility company may have monthly or quarterly billing cycles where end-users access its application to pay their bills.
Auth0 customers have reported that as much as 22% of their customers forget their passwords each quarter. Frustrated customers have to contact call center staff to request password resets. Forgotten passwords can lead to decreased customer satisfaction, paired with increased business operation costs.
For low-risk engagements, you can provide better user experience by implementing a longer session limit. This could become the difference between keeping or losing a customer. While Auth0 focuses on making your applications more secure, we also understand the substantial value of your end-user experience.
Everything considered, long-lived sessions work exceptionally well for organizations with periodic or even intermittent engagement cycles. With Auth0's customizable session lengths, you can configure session limits with up to 100 days of inactivity (idle timeout) and up to one year in total duration (absolute timeout).
Auth0 lets you customize session lengths to fit the security risk tolerance of your desired user experience. You can configure session limits with up to 100 days of inactivity (idle timeout) and up to one year in total duration (absolute timeout). This feature enables companies with quarterly, monthly, or other types of customer engagement cycles to reduce friction for end-users and provide secure access to low-risk content and functionality.
Whenever your customers need to perform high-risk actions, such as changing account details or updating payment methods, you can rely on Auth0 functionality to programmatically require password validation to run those actions as an added layer of security. With Auth0's long-lived sessions, session management, and Single-Sign On (SSO), you can build a better user experience for returning customers, enable personalized targeting, and reduce the costs of operations by mitigating password resets.
If you'd like to learn more about how you can customize Auth0's out-of-the-box features to fit your needs, please reach out to sales@auth0.com.
About the author:
Randy Nasson is the Director of Product Management (IAM) at Auth0.