My main business is running a YouTube network so I'm signed into about 10 accounts in one browser session. Merely, to maintain my channels. All passwords are 16-character random strings with two-factor authentication enabled. So if I'd let my browser "forget everything on close" as you mention, that'd take even longer every morning to sign in to all these accounts.
Opening up my password manager on my phone, then writing the 16-char password, then entering the two-factor auth code takes about a minute for each account. So that's 10 minutes to sign in to all those accounts. A bit too much for me to start my day with :)
Then there's my personal email, my work email, my web server logins etc.
It all adds up, that I'd rather save the sessions.
But I agree, there's definitely space for some digital minimalism here :)
Well, I never thought it made much sense, but: What's the point of "two-factor", when the second factor isn't actually ever required? I mean, what is "two factor" about that setup?
Good point. Two-factor auth is required on any other browser session or device without the session cookie. It's also reset every 30 days, so you'll have to re-enter it even if you still have a session running.
Well, the first factor presumably is also required in order to get a new session cookie, so what's the point of the second factor there? And if someone breaks into your system, they'll have both your password and your session cookie, so they don't need the second factor either (well, except after 30 days after you have reinstalled your system, which I would think is plenty of time to abuse your account).
Really, IMO two-factor authentication only makes sense where a separate challenge-response round is required for each transaction, so a replay of stolen credentials is impossible - as it's usually done with online banking. And against burglars, you can protect your cookies as well as your passwords by encrypting the disk contents. Just be aware of cold boot and DMA attacks, and possibly evil maid attacks.
When someone steals your device, you change your passwords and Google ends all active sessions automatically. If you use a session cookie from a very different location (e.g. another country, it also asks to re-enter the two-factor token.
That leaves the chance of having your system being compromised through the internet. Sure, that's possible.
Well, yeah, but what does two-factor auth help with any of that? Ending all existing sessions when you change the password doesn't require a second factor. Limiting the validity of a cookie to one country also doesn't seem to me to be much of a security feature, and more something that prevents you from using the service anonymously through Tor - the local thief won't be far from you and the botnet operator probably has more than enough systems in your vicinity to tunnel through, and in any case requiring the password would do the job equally well, wouldn't it?
Hu? That doesn't make sense in any interpretation I can think of. A second factor is what you need in addition to the first factor (in a conjunction), not what you can use instead, that would be a second summand (in a disjunction).
Opening up my password manager on my phone, then writing the 16-char password, then entering the two-factor auth code takes about a minute for each account. So that's 10 minutes to sign in to all those accounts. A bit too much for me to start my day with :)
Then there's my personal email, my work email, my web server logins etc.
It all adds up, that I'd rather save the sessions.
But I agree, there's definitely space for some digital minimalism here :)