paulo60pg
commented
4 months ago Imo 2min would be very short, and annoying for the user. Just get inspiration from metamask. I think it can stay several hours open without being logged out.
Open nortonandreev opened 4 months ago
paulo60pg
commented
4 months ago Imo 2min would be very short, and annoying for the user. Just get inspiration from metamask. I think it can stay several hours open without being logged out.
nortonandreev
commented
4 months ago Imo 2min would be very short, and annoying for the user. Just get inspiration from metamask. I think it can stay several hours open without being logged out.
Thank you for your valuable feedback!
I recognise that a duration as brief as two minutes may indeed be bothersome; however, extending the session timeout to several hours might not provide significant benefits either. This is due to our current session management strategy, which invalidates sessions upon tab closure or reaccess. Given this, the likelihood of a session remaining active for several hours appears minimal, thus diminishing the potential advantages of such an extended timeout period.
nortonandreev
commented
4 months ago Both the idle and absolute timeout values are highly dependent on how critical the web application and its data are. Common idle timeouts ranges are 2-5 minutes for high-value applications and 15-30 minutes for low risk applications. Absolute timeouts depend on how long a user usually uses the application.
paulo60pg
commented
4 months ago Having to unlock my wallet every 2min is really going to make me not adopt the wallet. With no other solution yet i would just not use the chain. Security shouldn't prevent usability. You have to find the right balance. Thanks for the feedback :)
I've been reflecting on our recent discussion regarding the introduction of "soft" and "hard" authentication methods for our Wallet, as discussed with @ZER0 and @ascartabelli. The idea is to prompt users for their mnemonic for each operation to avoid storing the seed in memory, enhancing security.
While I see the value in this approach, I propose a complementary short-term solution to further boost our Wallet's privacy and security. Our current session management requires authentication for new sessions, aligning with standards observed in banking apps and other wallets. However, I believe we could take an additional step to improve security without significant effort.
Suggestion: Implement Session Invalidation on Inactivity
The core of my proposal is to automatically log users out after a period of inactivity, clearing the memory of the seed in the process.
Implementing session invalidation would not only add an extra layer of security but also complement the potential future introduction of soft/hard authentication. It's worth noting that "inactivity" should be defined carefully, excluding automatic operations like syncing or executing transactions from triggering a logout.
The duration for inactivity logout should be carefully considered; I suggest a range of 2-5 minutes to minimize mnemonic storage time without significantly impacting user experience.
Benefits:
I believe this addition could be a valuable interim solution as we explore more comprehensive authentication strategies.