Tobyn

CEO - 19 Dec, 2016

Shift Privacy: How Does OAuth Work?

Feel uneasy about giving your passwords away willy-nilly? You have good reason!

If a website or application asks you to share your password, the key is to always make sure they are using OAuth Authentication.

As CEO of Redbrick – the 2nd fastest-growing software company in Canada – finding ways to manage end-users consent, and protect our customers’ privacy and security, is my number one priority. I am thrilled that OAuth has become the industry standard as the most trusted authentication protocol. I’ve broken down what it is, how it works, and how it’s implemented for Shift.

So, what exactly is oAuth?

OAuth is an authentication protocol used by Shift, and most well-known and respected applications that require access to your third party accounts. It is the security measure that allows you to approve the interaction between the application. The trick is that it does this without actually giving away your password. OAuth provides assurance that your passwords, and the information they protect, are safe and secure.

How does Shift use OAuth?

Shift follows the OAuth protocol exactly as it was intended. OAuth authentication authorizes Shift (locally) to access your emails and download to your local computer. An identity token is stored against your Shift account in the cloud, but the token required to access your emails is always local.

Shift can handle your mail privately and locally without any risk that anyone, anywhere – other than you – can gain access to your information, data, or emails.

Is it safe to sync multiple mailboxes to my Shift Account?

Syncing your mailboxes allows us to provide a seamless Shift experience across your multiple computers. OAuth providers (like Microsoft and Google) provide an identity token as part of the OAuth sign-in process.

An identity token is cryptographically signed and only identifies someone. Sharing this token does not authorize anyone to do anything (like read your emails).

Once Shift is done signing in with Google or Microsoft, it will reach out to our servers and send up the identity token. If the token can be decrypted then we know who is making the request. Then we can start syncing their mailbox information. This is why you still have to sign into Google and Microsoft after your mailbox is added to a new computer.

We know the mailbox belongs to you, but we don’t have the access it to unlock it for you.

How can you ensure your information and email is protected while using Shift?

Don’t let anyone else use your personal computer or at least anyone that you don’t want seeing your emails! Remember that when you sign into your primary Shift account, it could be visible. Do not leave it running on a computer that is not password protected. 

That’s it! Shift was designed with privacy in mind.  We knew that we wanted to use OAuth because it’s so slick, but we were cautious about just how we used it, and it turned out great.