We support Outlook!

Tobyn

CEO - 19 Dec, 2016

Shift Privacy: How Does OAuth Work?

Feel uneasy about giving your passwords away willy-nilly? You have good reason!

If a website or application asks you to share your password, the key is to always make sure they are using OAuth.

As CEO of Redbrick – the 2nd fastest-growing software company in Canada – finding ways to manage end-users consent, and protect our customers’ privacy and security, is my number one priority. I am thrilled that OAuth has become the industry-standard as the most trusted authentication protocol. In this article, I’ve broken down what it is, how it works, and how we have implemented it for Shift.

So, what exactly is oAuth?

OAuth is an authentication protocol used by Shift, and most well-known and respected applications that require access to your third party accounts. Essentially, it is the security measure that allows you (as the customer) to approve the interaction between the application you want to use, without actually giving away your password, and your third party accounts – in this case Gmail (Google).  With so many new applications on the market, oAuth plays a very important role in providing assurance that your passwords, and the information they protect, are safe and secure.

How does Shift use OAuth?

Shift follows the OAuth protocol exactly as it was intended. OAuth authorizes Shift (locally) to access your emails and download to your local computer. An identity token is stored against your Shift account in the cloud, but the token required to access your emails is always local.

Shift can handle your mail privately and locally without any risk that anyone, anywhere – other than you – can gain access to your information, data, or emails.

Is it safe to sync multiple mailboxes through my Shift Account?

Syncing your mailboxes allows us to provide a seamless Shift experience across your multiple computers. OAuth providers (like Microsoft and Google) provide an identity token as part of the OAuth sign-in process.

An identity token is cryptographically signed and only identifies someone. Sharing this token does not authorize anyone to do anything (like read your emails).

Once Shift has finished signing in with Google or Microsoft, it will reach out to our servers and send up the identity token. If the token can be decrypted then we know who is making the request and can start syncing their mailbox information. This also explains why you still have to sign into Google and Microsoft after your mailbox is added to a new computer.

We know the mailbox belongs to you, but we don’t have the access it to unlock it for you.

How can you ensure your information and email is protected while using Shift?

Don’t let anyone else use your personal computer, or at least anyone that you don’t want seeing your emails! Remember that when you sign into your primary Shift account, or leave it running on a computer that is not password protected, it could be visible.

That’s it! Shift was designed with privacy in mind.  We knew that we wanted to use OAuth because it’s so slick, but we were cautious about just how we used it, and it turned out great.