Session Timeout
securityFull Name: Automatic Session Timeout
Definition
Session Timeout is a security mechanism that automatically terminates an authenticated user session after a specified period of inactivity (idle timeout) or after a maximum absolute duration (absolute timeout), requiring the user to re-authenticate before performing further actions. In the EUDI Wallet ecosystem, session timeouts are a critical defense against unauthorized access to identity credentials and serve as a fundamental component of the wallet's security architecture. The EUDI Wallet implements timeouts at three levels: the wallet application session (governing how long the wallet remains unlocked), the ephemeral credential presentation session (governing the maximum duration of a single verification transaction), and the guidance provided to relying parties for managing sessions established through wallet-based authentication. Properly configured session timeouts balance security (minimizing the window of exposure if a device is lost or left unattended) with usability (avoiding excessive re-authentication that frustrates users and discourages wallet adoption).
Types of Session Timeouts in the EUDI Wallet
The EUDI Wallet implements two primary types of timeouts. The idle (inactivity) timeout triggers when the user has not interacted with the wallet for a specified duration, typically 2 to 5 minutes. This addresses the scenario where a user unlocks their wallet, becomes distracted, and leaves their device accessible to others. The absolute (maximum) timeout triggers after a fixed duration regardless of user activity, typically 15 to 30 minutes, ensuring that even active sessions are periodically re-authenticated to confirm the legitimate user is still in control.
Credential presentation sessions have extremely short timeouts, typically 30 to 120 seconds. If a QR code-based verification session is not completed within this window, the session expires and a new one must be initiated. This prevents stale session data from being exploited and ensures that the ephemeral cryptographic keys used for the session are short-lived. For proximity-based sessions over BLE, the timeout is even shorter, as these sessions are designed to complete within seconds.
The EUDI Wallet also responds to system-level events that indicate the device may no longer be in the user's control. Pressing the device power button, switching to another app, receiving a device lock signal, or detecting removal from a body (on devices with wear detection) all trigger immediate session termination. These event-based timeouts complement the time-based timeouts to provide complete protection against unauthorized access.
Risk-Based Timeout Policies
The EUDI Wallet Architecture Reference Framework supports risk-based timeout policies that adjust the timeout duration based on the sensitivity of the operation being performed. Low-sensitivity operations such as viewing the list of stored credentials or browsing wallet settings may use the standard inactivity timeout. Medium-sensitivity operations such as presenting credentials to a retail service may require re-authentication if the wallet has been idle for more than a minute. High-sensitivity operations such as presenting national identity credentials to government services, signing legal documents, or authorizing financial transactions may require fresh biometric authentication regardless of when the wallet was last unlocked.
This tiered approach is implemented through the EUDI Wallet's authentication level management. When a user authenticates via biometrics, the wallet records the authentication timestamp and the authentication strength. Subsequent operations check whether the authentication is recent enough and strong enough for the requested operation's security level. A credential issuer or verifier can specify the maximum acceptable age of the authentication event in their credential request, effectively requiring fresh authentication for sensitive operations.
The NIST Digital Identity Guidelines (SP 800-63B) provide a reference framework for session timeout policies that the EUDI Wallet draws upon. For Authenticator Assurance Level 2 (AAL2), NIST recommends re-authentication after 30 minutes of inactivity or 12 hours of absolute session time. For AAL3, the recommendations are 15 minutes of inactivity and 12 hours absolute. The EUDI Wallet typically adopts more aggressive timeouts than these minimums, given the sensitivity of the credentials it protects and the mobile device context where physical loss risk is higher.
User Experience Considerations
Session timeout design must carefully balance security with user experience. Timeouts that are too aggressive frustrate users and can lead to wallet abandonment, while timeouts that are too generous create unacceptable security risks. The EUDI Wallet addresses this tension through several UX design principles. First, the re-authentication process is fast and smooth, using biometric authentication (fingerprint or face recognition) that completes in under a second, minimizing the friction of frequent re-authentication.
Second, the wallet provides clear visual feedback about session status. A countdown indicator or session status icon shows users when their session is approaching timeout, allowing them to complete in-progress actions before re-authentication is required. When a timeout occurs, the wallet displays a clear, non-alarming message explaining that re-authentication is needed for security, avoiding confusion about why the wallet has locked.
Third, the wallet preserves user context across timeout-triggered re-authentication events. If a user was in the middle of reviewing a credential presentation request when the timeout occurs, re-authenticating returns them to exactly where they left off rather than sending them back to the wallet home screen. This context preservation reduces the friction of frequent timeouts while maintaining the security benefits of periodic re-authentication.