See: Frequent reauth doesn’t make you more secure.

At sufficiently large companies, security becomes a religion. A core contingent of rabid disciples dogmatically interpret the writings of patriarchs that came before them much greater than themselves (e.g. OWASP). Common sense approaches to security (e.g. passwords that don’t expire) are instictively rejected, even while questionable practices (e.g. OTP over SMS, sessions that expire in 24 hours) are dogmatically embraced.

Sometimes I think that all it might take to turn things around are smart security-conscious people that also care about UX to write more articles on best practices (actually best practices as opposed to what the security industry calls a “best practice”) so they can be shared as canonical references internally.