Settings and activity
4 results found
-
5 votesAdam Spiers supported this idea ·
-
64 votesAdam Spiers supported this idea ·
-
10 votesAdam Spiers supported this idea ·
-
159 votes
An error occurred while saving the comment Adam Spiers supported this idea ·
I'm afraid that fixing the session automatic expiry to 60 minutes is a very unsatisfactory decision by your product team. Incredible to see that these complaints have been going for years and are still not addressed.
It is incorrect to assume that every user of Xero has exactly the same security requirements. For example I only use it at home as a single user, where no one else has access to the computer, so it's plenty secure even if it stays logged in for days. In contrast, in an open office then of course security is a much more sensitive concern.
Why do you think that gmail lets people stay logged in for days or even weeks? And email is far more sensitive than an accounting platform, because (unless two factor authentication is used) any attacker can click a "Forgot password" button and then a recovery link is sent to the owner's email account which can let the attacker into the recovered account.
It should be up to users to decide what level of security they need, rather than a blanket decision by a product team. By all means impose a maximum session length of a week if you must, but 1 hour is ridiculous.