When should an application invoke re-authentication in addition to initial user authentication?
Correct Answer: C
An application should invoke re-authentication in addition to initial user authentication after a period of inactivity. Re-authentication is a process of verifying the identity or attributes of a user, device, or process that has already been authenticated, but needs to renew or confirm the authentication for a specific reason or purpose. Re-authentication can enhance the security and accountability of the application, by preventing unauthorized access or misuse of the application by someone other than the authenticated user, or by the authenticated user for an unintended or inappropriate purpose. Re-authentication can also help to comply with the security policies or regulations that mandate a certain frequency or duration of authentication. An application should invoke re-authentication after a period of inactivity, meaning that the user has not performed any action or activity on the application for a predefined amount of time, such as 15 minutes or 30 minutes. This can prevent the application from being accessed or manipulated by someone who gains physical or logical access to the user's device or session, while the user is away or distracted. An application should not invoke re-authentication at the application sign-off, periodically during a session, or for each business process, as these may not be necessary or effective for security, and may cause inconvenience or frustration to the user.
References:
* [Re-authentication]
* [Authentication]
* [Re-authentication: The Unsung Hero of SSO Security]