I don't think my argument has changed a whit - Short sessions cause more pain than they solve. They are a bad security tool for almost all products.
Arguing that short sessions are bad is not the same as arguing that rotation never has its place. Rotation can provide some benefits.
My argument is that EXCESSIVE rotation (aka: short sessions, the whole freaking conversation) is folly.
It's a bad decision usually implemented without thought or understanding (it's on the checklist...), which has a high cost to users, and actively degrades the product.
In return for the costs of short sessions, what are you proposing that your users gain?
Because personally, logging in every 15 minutes for the rest of my life is a god damn travesty of an exchange to make to cover me on the one case where my laptop goes missing. Especially since that's not a very common vector for account theft. It's SO much more likely someone just calls the help center and claims to be me and gets in just fine.
Arguing that short sessions are bad is not the same as arguing that rotation never has its place. Rotation can provide some benefits.
My argument is that EXCESSIVE rotation (aka: short sessions, the whole freaking conversation) is folly.
It's a bad decision usually implemented without thought or understanding (it's on the checklist...), which has a high cost to users, and actively degrades the product.
In return for the costs of short sessions, what are you proposing that your users gain?
Because personally, logging in every 15 minutes for the rest of my life is a god damn travesty of an exchange to make to cover me on the one case where my laptop goes missing. Especially since that's not a very common vector for account theft. It's SO much more likely someone just calls the help center and claims to be me and gets in just fine.