Currently, the login timeout == fully tied to 2FA.
It is much more common these days with apps and services that you only have to use 2FA once every XX days. Or even add a checkbox on the login screen to "remember device".
Now, after the set minutes in Settings>Security has passed, not only is the user logged out, the device is also not remembered. The user needs to login with 2FA.
This means logging in always requires 2FA instead of only requiring it on:
- Unknown devices
- Devices that have not been "seen" for 30 days, a user has not logged in to that device in a while.
I would like to suggest to add these features to expand the current time out option.
The workaround is to set the timeout to 0 completely. But I would consider that less secure. Maybe I am wrong?
Customer support service by UserEcho