The authentication process must have a defined time limit of 30 seconds.
OWASP-ASVS v4.0.1 V3.6 Re-authentication from a Federation or Assertion.(3.6.1) Verify that relying parties specify the maximum authentication time to CSPs and that CSPs re-authenticate the subscriber if they haven’t used a session within that period.
OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.