[Action Required] Auth0: Session Timeout/Inactivity Implementation

Overview
Session timeout/inactivity represents the event occurring when a user does not perform any action on an application during an interval (in our policy, 15 minutes). If a user with those permissions is logged in and leaves their computer unattended, a malicious actor could take advantage of the situation to find or change important information. Session timeout/inactivity provides an extra layer of security to protect your profile from being compromised.

Who is this announcement for?
For all Engineers & Product Managers that use Auth0 for apps/tools authentication

What do you need to do?

Prior to implementation, please follow the proper Change Management procedure.
To implement session timeout/inactivity, kindly refer to Implement Session Inactivity on Product Administration Dashboard

Why is this needed?

Session timeout/inactivity implementations is one of the security best practices referred to Access Management Standard and Guideline, to prevent misuse of the access to information from unauthorized parties and/or decrease the exposure of session-based attacks.
To remediate findings on Project Galaxy.

Timeline

May 17 - June 24, 2022:

All PICs to check Auth0 Apps List and define Auth-SDK type. For applications that have not been listed, kindly list them down in this file.
All PICs to implement session timeout/inactivity in their applications
After the implementation, all PICs submit their GitHub link as the evidence in the Auth0 application list

June 20 - June 30, 2022:

Project Galaxy team to review the evidence & closure

Please be notified that May 29 - June 6, 2022 is Epic Sales Change Freeze Period, kindly avoided this period for implementation to reduce the risk of any production incident occurring during the epic sales period.

Questions/Concerns?

Contact @anggam for technical queries in Auth0
Contact @cresentia or @daivan for Project Galaxy queries

Appendix

Regards,
@anggam, on behalf of the Content & Tools Infra Team.