Token Management

There is little more less interesting to most people than managing a multitude of authentication tokens for online services. This doesn't mean it's not important, though.

Late last week CloudFlare reported a memory leak that was the result of a bug in some of their server software. As 10Centuries does rely on CloudFlare, there's a possibility that the authentication tokens that people use for this service were leaked elsewhere. With an authentication token, someone could essentially impersonate you and (attempt to) take over your account. What's both interesting and unfortunate is that, even if someone were to sign in as you and change your password, they would not be able to eliminate your existing authentication tokens. You could continue to use your apps without even realizing that someone else changed your password or other details.

This was by design, but I can see how some people would be uncomfortable with this. Luckily, I managed to get about 3 hours of development work in today that will make it possible or you to have much greater control over the access tokens that you've authorized.

The password change page has been updated to give you the option to revoke all existing Authorization Tokens or, if you choose to go App-by-App, you can do so using the rows at the bottom of the page:

Passwords & Tokens

Hopefully these functions will give people the control they seek when revoking Tokens to applications or services they may no longer want to use, as well as to see how many Tokens are currently active. Expiring a Token takes effect instantaneously, so if you ever think someone is logged in as you, just hit the buttons and you'll be good to go.

What Does "Active" Mean?

Tokens are considered active until they've been unused for more than 30 days from the time of last access. Once the 30-day mark is hit, the token cannot be used ever again, and any application using that token will need to sign in for a new one. Any time you choose to sign out of an application, the token in use is automatically expired, preventing it from being used ever again. Some 80% of all tokens have gone idle and are no longer usable, and this is great as it means people's accounts cannot be easily hijacked through fake cookies or random generators hitting the 10Centuries servers.

Given that 10Centuries has the audacious goal to exist in perpetuity, security is a serious concern. A great deal of thought has gone into what sorts of features should exist, and how to prevent misuse of the service. With this new feature, people will have much more control over their accounts, but the system could still be better. How would you like to see 10Centuries improve its security in the coming months? Get in touch with me on Social, and let's see if we can't build something stronger, better, and easier for the whole community.

Have any questions, comments, concerns, or feedback? Get in touch on Social or send a message through the Contact page. I'm almost always available.