4

I'm not really sure if this feature is a good security idea, but would it be good to allow a user to sign out of all other sessions? Or would this be a bad idea, because I see a good amount of pros, but there is one con that bothers me.

Pros:

  • Sign out of all other sessions to make sure your account hasn't been brute forced or pged.
  • Sign out of all other sessions because you left yourself logged in on a public computer.

Con:

  • Somebody gets into the account and signs out of all other sessions.
Anders
  • 65,582
  • 24
  • 185
  • 221
UnderMyWheel
  • 361
  • 2
  • 13

2 Answers2

5

Having the ability to terminate all sessions that exist for a certain account is a good idea, just as it is a good idea to have 'forget me everywhere' functionality.

A user's account should be associated with a single user. If this user wants to sign in on multiple devices, they should be able to do so. Just the same, they should be able to log themselves out on any and all devices they previously logged in, if they choose to do so.

The benefit of this is that it would log out any sessions that still exist because the user forgot to log out (which is a real possibility, mainly with shared devices).

The idea that this functionality should not be implemented because it could be misused when an account is compromised, is a non-argument: if a person gains unauthorized access to an account, they can do a whole lot of bad things. Logging out any active sessions would be one of the least damaging ones, while at the same time having a fair chance of alerting the account owner of the fact that something is wrong (which is a good thing).

(The strength of the authentication scheme (1-factor vs multi-factor, as mentioned by some other answer to this question) has little to do with this.)

David Klempfner
  • 201
  • 1
  • 8
Jacco
  • 7,672
  • 5
  • 33
  • 54
1

It highly depends on your authentication strength : if you're using a two factor one - it's safe enough. Otherwise if it's as weak as 1-factor - you're pointed a Con that rids out all of the benefits of this ability

Alexey Vesnin
  • 1,577
  • 1
  • 8
  • 11
  • Since I use the email system to set up your account and verify, would that get rid of the con and it will be a beneficial ability? – UnderMyWheel May 12 '16 at 02:26
  • 1
    No, it won't. Add Google authenticator, for example, and you will be just fine – Alexey Vesnin May 12 '16 at 02:46
  • 2
    Using email confirmation to sign in from a new device, is not a terrible alternative to "real" two-factor. Many of the major players use it, and I don't see a problem with allowing multi-signout after such a confirmation. – Niels2000 May 12 '16 at 07:49
  • 2
    I don't think the authentication strength has anything to do with the ability to sign out of all sessions. Mostly because in a situation where an adversary is able to sign out all your sessions they are already logged in. – Black Magic May 12 '16 at 07:53
  • Call me old-fashion, but the 2nd factor, a "something you have" is a very strong argument of verifying your identitiy. It's bloody easy to incorporate a Google Authenticator app nowdays - so let it be protected! The Con, that is pointed by question author, was attempted to use against me when trying to hijack one of my social network profile - so I was actually saved by this layer of security – Alexey Vesnin May 12 '16 at 12:56
  • @AlexeyVesnin, not everybody is all that happy about sharing their phone number with every other website. – Jacco May 12 '16 at 16:33
  • 1
    @Jacco to elaborate Google Authenticator App you don't need a phone number at all: you can run it on a tablet with no SIM, and it works. – Alexey Vesnin May 12 '16 at 18:28