ubuntu-phone team mailing list archive

Thread
Date

Head's up, SSO tokens going to be bulk invalided

To: Ubuntu Touch <ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
From: Martin Albisetti <martin.albisetti@xxxxxxxxxxxxx>
Date: Fri, 12 Sep 2014 11:33:10 -0300
Cc: Natalia Bidart <natalia.bidart@xxxxxxxxxxxxx>

Hi all,

As part of tightening security in SSO, we will need to invalidate
all[1] current SSO tokens within the next week or two, and they will
all need to be re-created.
We are doing this now and in this manner because we frequently need to
do so whenever there are security breaches in third-party sites and
users in our systems used the same passwords, as well as when a user
changes their password on the server, their tokens are no longer
valid.
So what I want us to ensure early on is that the phone can handle this
situation gracefully and in a user-friendly manner. We won't have the
luxury of hand-holding each person if the device gets confused in the
future, and I don't want us to be in a position where we need to
choose between security and user confusion, where we can avoid it.
I have talked to Mardy and David a month or two back to let them know
this was coming, but I'm not sure what other areas of the phone it
will affect or how.

If you want to test this situation today, in advance of us doing this,
you can just go to https://login.ubuntu.com and invalidate your
existing token(s) (under Applications).


Happy testing!

[1] No really *all*, but rather all the ones accessed via the v2 API,
which is effectively "all" for the phone

-- 
Martin

Follow ups

Re: Head's up, SSO tokens going to be bulk invalided
From: Alejandro J. Cura, 2014-09-12