Expiring the Browser Extension login based on time

[Dave Bennie]

I would like to see it possible for the Browser Extension to timeout its login without having it tied to closing a browser window to increase security.

 

Reason being,  that my team opens and closes browser windows all the time,  meaning the extension will sign itself out regularly during the day.  This then means they need to go back to the tab with Passwordstate open (in a separate window that they keep open all day) and refresh that tab to get the browser extension working again.

 

Disabling the browser extension sign out on closing a window then introduces a security issue.  The browser extension will always have access to passwords without the need for the user to re-authenticate and 2FA, Forever unless the browser is left open and idle for the timeout period.  Which logging out or restarting the PC does not count as tomorrow or next week,  the browser extension will immediately have access to all password data again.

 

My suggestion would be that the browser extension is only alive as long as you have a logged in session to the Passwordstate website.
OR
The extension sets a maximum life time.  This life time would match the current idle timeout setting.  So,  if a user restarts their PC and goes home (for example overnight),  then when they start up the PC again the extension will have timed out if that time has elapsed.  Therefore needing them to log back in again.