This is the second entry in a series about Spring Cleaning for your Internet-connected 21st century lifestyle. Confused? Check out the first entry about authentication and passwords.
This entry is all about user connected apps and sessions.
Connected apps / OAuth tokens
You know when you log in somewhere with Facebook, or click on a button that gives a website access to your profile photo on Google? That’s called a connected app, or in techie jargon OAuth.
OAuth is a wonderful protocol. It gives you the power to selectively share your data between websites and mobile apps.
But that convenience comes with a wrinkle of complexity: it’s easy to forget about all the apps you’ve connected. To make matters worse, some of these app connections will keep working after you reset your password.
So, take some time and review all of your connected apps. Don’t recognize something? Disconnect / revoke / remove it.
Here’s a list of places you might have connected apps:
If you have more than one account at any of these providers, don’t forget to check each one.
Browser sessions & Devices
Some online services keep a memory of previously authenticated web browsers and mobile apps. This phenomena goes by many names including trusted computers, sessions, devices, and recognized browsers.
Trusted devices and browsers have easier access to your account. Sometimes they bypass multi-factor auth, sometimes they are completely trusted. In any case, they’re another gateway to you account that you should keep tidy.
- Apple iCloud - Listed as ‘My Devices’ and ‘Sign Out Of All Browsers’
- Apple Id - Listed as ‘My Devices’ and may list different devices than iCloud
- Dropbox - Listed as ‘Session’ and ‘Devices’
- Facebook - Listed as ‘Where you’re logged in’
- GitHub - Listed under ‘Sessions’
- Google - Listed as ‘Recently used devices’
- Twitter - Listed as ‘Your devices’
App passwords are a weird consequence of multi-factor authentication. They are passwords that allow you to sign in from applications that do not support multi-factor auth, even if your account it set to require it for all access. This may seem silly, but you might have used it for an old desktop email client. They typically give full, unrestricted access to your account, so it’s important to keep them tidy too.
- Apple Id - Listed under ‘App-specific passwords’
- GitHub - Listed under ‘Personal Access Tokens’
While you’re in there, go ahead and clean out any old / unused SSH keys too. These are not as common, but if they get out bad things can happen. You may have accidentally leaked one when you sold an old laptop on Craig’s List.
As a general practice, never reuse SSH keys. Generate a new one for each device / service connection.
- Any servers you used SSH to log into
There are more ways into your accounts than just your password. Keep them tidy too!
Did I miss any services that you use? If so, please tell me on Twitter.
In the next blog entry, I’ll move away from authentication (as exciting as it is), and into a more meaty part of the series: almost forgotten social media posts and other uploaded data. I promise an exciting journey down memory lane.