Evaluates session inactivity timeouts, step-up authentication for sensitive operations, concurrent session controls, session fixation prevention, and device trust.