I don't know. I haven't needed to log back in for at least 3 days so far. I usually just click over to another tab to refresh my balance a few times a day. The session seems to last at least until I restart my machine, and even then it carries over. I'm fine with it.

Cryptsy has a 2FA system with a time-out adjustment. I have my account set at 12 hours, so I usually have to relog once or twice a day. Not as bad as a bank, but still annoying considering it used to last a day before I enabled 2FA.

You could take the (marketing) approach of "We have banking grade security", but I rather think it doesn't need to be any more secure than a pool account. Rolling 24 hour auto-withdrawals will keep your BTC/DOGE balance low, and make you a less appealing target for a heist. Say something like UTC 00:00 + (Num of min = RIGID). For example: for 'RIGID=495' it would be UTC 00:00 + 495 minutes or UTC 08:15. That way, withdrawals aren't all going out at once, and everyone gets paid once a day. Not having 24hr withdrawals is why Hashcows became a target and Middlecoin did not. And fuck hashclowns anyway. They've had a small unexchanged balance for me for months!

My approach to security is to make it 'good enough' until there is a reason to make it more of a hassle. As long as your other practices makes you a less appealing target, like not holding onto balances longer than 24 hours, you shouldn't have any problems. 2FA sessions can be tied to IP addresses, right? Even if someone were able to access your current session key (due to compromised admin PC), they'd be trying to access it from a different IP, and require relogging. Even so, I'd still argue it the provider's fault for having a compromised PC, not leaserigs.