Sensitive DocTypes - Prompt For Password

[fiveoaksmn]

Is your feature request related to a problem? Please describe.
I'm thinking about ERPNext however I think my proposal could be beneficial across the board. In ERPNext, the accounts who have access to HR (employee) data have access to some sensitive data. Should they remain logged in and walk away from their computer, someone with bad intentions could get a hold of information they shouldn't have and cause some damage.

Describe the solution you'd like
I don't want to shorten the time the user is logged in as having to enter their username and password frequently is annoying and most the time unnecessary. What I am proposing is that a new option be added in the configuration of a doctype named "sensitive". When this checkbox is true, whenever a user attempts to view/edit any document of this doctype, they are prompted to enter their password before they can see anything. Once successfully entering their password, they can continue to view/edit it.

Ideally the system would have logic too that starts a timer. Meaning if the user goes from one document to another in the same sensitive DocType, they aren't prompted a second time unless a few minutes have passed.

Describe alternatives you've considered
I haven't thought of an alternative yet.

Additional context
This password prompt for sensitive doctypes should have the flag set that tells the browser to not autofill.

[rareMaxim]

In my opinion, this is not a Frappe/ERPNext/HR problem at all. Consider basic security standards for your employees, such as setting a password for the work machine account and setting an auto-lock timer.

[fiveoaksmn]

Yes, of course basic security standards are in place already including locking screen after 5 minutes but there is still that period of time between when one leaves their computer and when the lock occurs. In a perfect world, you wouldn't need to worry. Employees would remember to lock their computer when they get up, but anyone who runs a business knows it is pretty near impossible to get 100% compliance.

But all this is beside the point. My use case is employee records in ERPNext, but I could see this feature useful in other areas. If people are using Frappe for health related records, this is something you would consider highly sensitive. By not only prompting for a password to make sure it's an authorized person trying to access the data, it also serves as a reminder to them that they need to treat the data with utmost care.