Let's look at how SuperID changes authentication for WebTools, MailLink, and Pocket.
Before SuperID
-
We use proprietary tickets representing the user for authentication. A ticket is valid for a 10-hour sliding window.
-
WebTools, MailLink, and the mobile client use classic usernames and passwords. The password is stored encrypted on the device.
-
A user must reauthenticate when changing the password.
-
Double-clicking the WebTools owl icon will sign the user directly in to the tenant.
An invalid cached password will sometimes result in locking the user account.
With SuperID
-
We use industry-standard OAuth 2.0 access tokens and refresh tokens representing a user signed in to an application.
-
The access token is valid for 1 hour. The refresh token is valid for several years.
-
Access tokens can't be shared between applications.
-
The tokens are unique per user and application and are stored on the device.
-
WebTools, MailLink, and the mobile client use industry-standard OAuth 2.0 for Native Apps (RFC 8252).
-
Double-clicking the WebTools owl icon will send the user to the tenant. If the user is not signed in, the user will be redirected back to the sign-in dialog, must click Next, and then possibly authenticate to sign in.