What is a reasonable timeframe that should be defined and enforced for access token expiry to reduce the risk of unauthorised access?

Question

What is a reasonable timeframe that should be defined and enforced for access token expiry to reduce the risk of unauthorized access?

Answer 1

Totally depends on the service you're providing, if it's something to consult data you might make it 5~15mins and if it's something like authorizations, transactions quick stuff, it might be reduced from 5~2mins

Usually financial institutions require a max lifespan of sessions and such and it goes below 15minutes or something like that.

Some context of what you're trying to secure might give more insight at answering this question

Answer 2

Session timeout should be set as short as possible without compromising functional requirements.

A session timeout of 0 would be most secure (assuming it doesn't create some other kind of exposure, e.g. make it easier to steal credentials), but is usually unacceptable in terms of user functionality.

A timeout of a few minutes would be nearly as secure, but still wouldn't be very user-friendly, as the user would be constantly seeing timeout warnings.

Financial institutions will typically set their session timeout between 10-30 minutes, depending on how they feel their user base will accept it. The NIST guideline is 30 minutes or less (see section 4.2.3).

That all being said, there are cases where sessions are kept even longer, but sensitive transactions require some form of reauthentication. For example, credit card apps may keep a session token alive for 30 days that allows the user to see their balance and their last five transactions. But if they wanted to change their mailing address, request a cash advance, or do anything more useful to a hacker, they will have to reauthenticate.