I personally consider automatic logouts to be in the same category as periodic password rotations: a defense in depth idea that so badly impedes accessibility that it isn't worth it. It is common to type 1-2 passwors into a computer to before getting to the browser, so why isn't a trusted device a reasonable threat model?
I think it is a personally reasonable threat model to consider anyone capable of stealing a token off of my device as capable of stealing my password because if a website has other vulnerabilities allowing credentials to be stolen or misused without my device being compromised then it is a defense in depth technique and it is to cover the ass of the website operator and not me. I shouldn't be liable for a website owner's screw up there.
Now, a genuine two factor authentication changes the picture there and actually adds some security for ultra risky scenarios (like transferring money). But instead of invalidating my session, just ask for a token on every risky transaction. There I can understand a bank wanting to cover their liability a bit more.
I think it is a personally reasonable threat model to consider anyone capable of stealing a token off of my device as capable of stealing my password because if a website has other vulnerabilities allowing credentials to be stolen or misused without my device being compromised then it is a defense in depth technique and it is to cover the ass of the website operator and not me. I shouldn't be liable for a website owner's screw up there.
Now, a genuine two factor authentication changes the picture there and actually adds some security for ultra risky scenarios (like transferring money). But instead of invalidating my session, just ask for a token on every risky transaction. There I can understand a bank wanting to cover their liability a bit more.