What gets me is that gmail login lasts...seemingly forever. And for most users, if their e-mail account were to get compromised, it's game over for everything they use, since so many services allow you to reset a password and possibly even remove 2FA with just e-mail verification.
What's even the attack scenario? Someone stealing a session token/cookie? If they can steal an expired one somehow, then there are good odds they could steal a current one, so the short session doesn't matter THAT much. I suppose another scenario is someone not logging out of their accounts on a public computer, but the type of person to do that likely uses "Password123!" as a password anyways.
> ... since so many services allow you to reset a password and possibly even remove 2FA with just e-mail verification.
What is insane is that so many services allows to reset password and even 2FA without requiring any cooldown. The level of fail here is plain staggering. I don't really have words.
There are proper services out there who shall go out of their way to try to contact you, for example for 72 hours, before allowing any reset to happen. Some are going to say: "Wait, what!?, 72 hours!? I need to reset my 2FA NOW". They don't realize though that what they're really saying is: "I want bad guys to be able to reset my password/2FA instantly and log me out of everything they can in a split second". It's convenience vs security, once again.
As a sidenote I've read about a DB (in the EU) about SIM cards saying when they were swapped. And as a bank, you can check that DB and decide, for example, to refuse to let anyone change any setting if the SIM was swapped less than a week ago.
We need more people to think a bit about potential solutions instead of crying "but it's not convenient" and "bad guys shall find a way anyway".
What's even the attack scenario? Someone stealing a session token/cookie? If they can steal an expired one somehow, then there are good odds they could steal a current one, so the short session doesn't matter THAT much. I suppose another scenario is someone not logging out of their accounts on a public computer, but the type of person to do that likely uses "Password123!" as a password anyways.