We recently moved our Office 365 tenant under our parent company's management, which has a much stricter cybersecurity policy. Now, our executives are frustrated that they have to log into their email, calendar, and Teams app on their phones every week. I've heard this was a compromise because the standard is supposed to be every single day, whereas my privileged account requires a daily login. Is it common for companies to require daily logins on mobile devices? I'm worried that the constant MFA prompts are leading to 'MFA fatigue,' where users just accept any prompt they see without thinking.
5 Answers
It sounds like whoever set that policy didn't do their homework. Generally, the default token lifetime is around 90 days, so requiring a login every week isn't the norm. It might even create more problems, like users just approving prompts without a second thought, which defeats the purpose of security entirely.
Have you thought about using Microsoft Authenticator? If they store their passkeys there, needing a fingerprint to log in once a week isn't too bad. Plus, since it's a passkey, it's less susceptible to phishing.
Yeah, I agree. Typically, when users sign in for the first time on a device, they shouldn't have to re-authenticate unless they’re flagged as risky. It seems like overkill to enforce daily logins in that scenario.
No way, that’s definitely not standard practice. Most modern cybersecurity frameworks don’t recommend arbitrary re-authentication frequencies due to the potential fatigue and security risks you mentioned.
Honestly, that’s not a real security measure—it’s more like security theater. If the devices are managed, there's usually no need for users to constantly log back in. It just encourages them to store passwords on their devices for convenience.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures