Our auditors are concerned that once you've logged in to the store admin there is no automatic timeout to enforce logging back in. The only thing is to select the store and user you want to continue as but if the device you're using was previously logged in then there is no further barrier. I noticed that my laptop has been logged in since December!
We've got 2 factor auth turned on but unless you manually log out then after initially logging in it's never used. Am I missing something?
No, still the same. To illustrate the point, I clicked on Reply to your message having not been in Shopify Admin for over a week. It just presented me with the account selector and when I clicked the admin account I'm just straight back in with no further authentication. Considering the amount of personal and payment data contained within a Shopify store, our compliance people are very concerned!