I'd like to see better time controls than TrustDeviceExpireDays currently offers.
Use Case: While a lot goes into insure our staff's devices do not get compromised, it could be a matter of time. If an attacker took control of a PC here with saved credentials in the browser, if it's within 1 day, 2FA doesn't prompt.
Sure, you could set TrustDeviceExpireDays to 0, but now I feel I'd be annoying staff with that alone combined with MaxLongestTicketReissueIntervalSeconds.
Ideally, I'd like something like "a few hours" for MaxLongestTicketReissueIntervalSeconds, but maybe 9 hours for TrustDeviceExpireDays (obviously, pretending the word "Days" isn't there). This would force users to re-authenticate after a few hours idle, but not necessarily have to use 2FA, making the assumption with the times I provided above that the user is still working his/her shift.
It's not a perfect idea, but it's an improvement to MaxLongestTicketReissueIntervalSeconds = 7200 and TrustDeviceExpireDays = 0
Customer support service by UserEcho