Comment by jeroenhd

Needless to say, this is an ad for Tailscale. I hate these short-lived sessions myself, but there are oftenreasons why they're there.

The alternatives proposed are "just always check right before a sensitive action" and "use continuous verification". Both of which are much harder to pull off correctly than short-lived authentication sessions (unless you buy their product, of course, supposedly), especially on third-party services you don't control the source or manage the deployment for.

Oh, and of course, "just make everyone lock their screens". If only it was that easy. If basic rules like that worked, we could ditch half the security measures we have for websites. What's next, "just use unique passwords of 20+ characters for each website"?

Also, this is putting a lot of trust in solutions like Windows Hello. I can't speak for the security of Apple's implementation, but thanks to bad vendor implementations (including Microsoft's own!), Windows Hello hardware is full of security holes. At some point one company decided to take a look at a few of those devices [and found security problems in all of them](https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/).

Short token longevity also protects against one use risk Tailscale have a solution for: users logging in to their personal accounts on public computers. That's still an essential use case for people without internet access or computer access at home. Often these people are more vulnerable (homeless, very poor) so relying on them clicking the "log out" button on every website they're forced to interact with is not going to work.

Kerberos (or buying what Tailscale sells) does offer a somewhat nicer authentication flow, but that still doesn't work reliably on every browser on every OS on every device and it requires people to follow basic rules like "lock your screen", which is a massive risk. Passwords will always work anywhere and their security can be somewhat enforced.