by
Tue, Feb 05 2013 12:46:24

The Case of Too Many Tokens

  1. NishantK
    Nishant Kaushik@NishantK
    Why OAuth token management needs to be part of #IAM program >> Twitter Apps Can Still Tweet Despite Password Reset - bit.ly/WskOxJ
    Tue, Feb 05 2013 08:01:42
  2. My name is Paul and I am a compulsive application authorizer #hiPaul http://pic.twitter.com/4HUFkAyc
    Paul Madsen@paulmadsen
    ·
    Tue, Feb 05 2013 05:49:27
  3. NishantK
    Nishant Kaushik@NishantK
    @paulmadsen 54????
    Tue, Feb 05 2013 08:31:07
  4. paulmadsen
    Paul Madsen@paulmadsen
    @NishantK some people collect stamps…… #dontJudge
    Tue, Feb 05 2013 08:36:51
  5. NishantK
    Nishant Kaushik@NishantK
    @paulmadsen Not judging. But definitely going to use you as a case study. #InThisRoom...
    Tue, Feb 05 2013 08:43:55
  6. paulmadsen
    Paul Madsen@paulmadsen
    @NishantK I also do bat mitzvahs & weddings
    Tue, Feb 05 2013 08:48:00
  7. paulmadsen
    Paul Madsen@paulmadsen
    Why should my access tokens be automatically revoked? securitywatch.pcmag.com/none/307747-tw…
    Tue, Feb 05 2013 08:18:13
  8. NishantK
    Nishant Kaushik@NishantK
    .@paulmadsen The concern re. no autorevoke is a hacked password being used to authorize app, which (unknowingly) continues to have access
    Tue, Feb 05 2013 08:48:47
  9. paulmadsen
    Paul Madsen@paulmadsen
    @NishantK but existing apps were issued their tokens when no risk present. So, why not instead not issue new tokens until pwd changed?
    Tue, Feb 05 2013 08:57:25
  10. NishantK
    Nishant Kaushik@NishantK
    @paulmadsen Assumes you know exactly when account was compromised. Not always clear.
    Tue, Feb 05 2013 09:03:26
  11. paulmadsen
    Paul Madsen@paulmadsen
    @NishantK so should Twitter revoke all 54 of my issued tokens?
    Tue, Feb 05 2013 09:06:34
  12. dchristiansen
    David Christiansen@dchristiansen
    @paulmadsen If password was compromised, additional tokens could have been generated with rogue app - Surely best to do a token reset?
    Tue, Feb 05 2013 09:10:20
  13. paulmadsen
    Paul Madsen@paulmadsen
    @dchristiansen I had 54 extant tokens at the time of the (potential) compromise. What price security? /cc @NishantK
    Tue, Feb 05 2013 09:11:39
  14. dchristiansen
    David Christiansen@dchristiansen
    @paulmadsen @NishantK Agreed. Site could display the date of when an app was trusted. Highlighting any changed around the time of the breach
    Tue, Feb 05 2013 09:13:49
  15. dchristiansen
    David Christiansen@dchristiansen
    @paulmadsen @NishantK The alternative was me weeding out my trusted app list and regenerating tokens
    Tue, Feb 05 2013 09:14:51
  16. NishantK
    Nishant Kaushik@NishantK
    @paulmadsen Given that you are the edge case that I am NOT going to design my security protocol around (seriously, 54?), I say yes.
    Tue, Feb 05 2013 09:18:57

Did you find this story interesting? Be the first to or comment.

Liked!

Nishant Kaushik

Chief Architect @ Identropy | Solver of Problems | Passion for Identity, Tech, Family, Travel, Sports (esp. NYY/NYG/ManU) | Recommended by 4 out of 5 Identirati

7stories
3followers
1following
Total views
29

Sorry.

This URL is already in use. Please choose another URL.
Edit URL

Storify

@Storify

Are you sure?

Are you sure you want to delete this story?

Are you sure?

Are you sure you want to flag this story?