After a period of inactivity in an application, the user session should be locked and require re-authentication.
Activity in another application from the same identity provider may be considered continued activity.
Specification
Depending on the security levels of the IT system, the maximum duration of the session is as follows:
- Low: 30 days
- Medium: 1 day
- High: 8 hours
ISO 27001 & 27002:2022
A5.3,
A5.8,
A5.15,
A5.16,
A5.17,
A5.18,
A8.3
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.02 Authentication mechanisms