Comment by notfed

Here's 2 or 3 cents:

- Websites should (in agreement with TFA) just remain logged in (at least for 24 hours). Let the OS handle it.

- Public computers should only ever provide ephemeral login sessions. Everything cleared upon each login. Never persist anything to disk.

- Personal computers should reauth frequently, but should use adaptive authentication: i.e., password sometimes, and pin/fingerprint other times, where reasonable. Since "reasonable" is debatable, this should be configurable by the user at the OS level.