I agree with Peter_Fiddes that this is a big issue. However, I don’t think auto-logout is the right answer for 2fa controls because of the implications for local cache, which are kind of a different issue entirely (whether nuking local cache is desired after a period of time is a distinct need from wanting there to be 2fa between you and secrets at all times). I suggest that while this is a good request on it’s own, vote on this card ONLY if you are concerned about removing local cache after X minutes. If you want to ensure users must enter the 2nd factor every time the “unlock” timeout happens, you should be putting a vote here: 2FA when ‘unlocking’