At Salesforce, we strive to balance the security of your data and apps with an efficient and enjoyable user experience. Last year, we shortened login sessions for the Heroku Dashboard to 12 hours to improve security. Starting today, users can stay logged in for up to 24 hours. Even better, if you have multi-factor authentication (MFA) enabled and use the Heroku Dashboard daily, your session can be extended up to 10 days before you need to log in again. If you are idle on the Dashboard for more than 24 hours, you must re-authenticate. SSO-enabled users were not impacted by these changes and will continue to log in through their identity provider every 8 hours.
We've learned a lot on our journey of implementing MFA, which has been available on Heroku since 2014. Last year, we introduced enhancements to our MFA implementation including additional verification methods and administrative controls like managing MFA for Enterprise Account users. In addition, we now require MFA for all Heroku customers which mitigates the risk of phishing and credential stuffing attacks.
Feedback is Important
At Heroku we take customer feedback seriously and incorporate it into our product plans. We got a lot of feedback that the 12-hour session timeout and resulting daily logins seriously degraded the Heroku Dashboard user experience, and we appreciate the opportunity to use that feedback to improve Heroku. The new, longer Dashboard sessions strike a better balance between security and user experience: If you’re a frequent Heroku user you now only have to log in every 10 days and the inactivity-based timeout ensures that inactive or abandoned sessions do not pose a security risk.
We hope you enjoy this improvement as much as we do!