Update 0x09-V4-Authentication_and_Session_Management_Requirements.md

Document/0x09-V4-Authentication_and_Session_Management_Requirements.md

@@ -15,7 +15,7 @@ In most cases, users logging into a remote service is an integral part of the ov
 | **4.5** | A password policy exists and is enforced at the remote endpoint. | ✓ | ✓ |
 | **4.6** | The remote endpoint implements an exponential back-off, or temporarily locks the user account, when incorrect authentication credentials are submitted an excessive number of times. | ✓ | ✓ |
 | **4.7** | Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain/keystore. |   | ✓ |
-| **4.8** | Sessions and access tokens are invalidated at the remote endpoint after a predefined period of inactivity. |   | ✓ |
+| **4.8** | Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire. |   | ✓ |
 | **4.9** | A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced.  |   | ✓ |
 | **4.10** | Sensitive transactions require step-up authentication.  |   | ✓ |
 | **4.11** | The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices. |  | ✓ |