I’d like to start a discussion about security of long-term app logins.
To my understanding the standard/state of the art for the long-lived logins that apps use to keep a user from needing to re-login regularly, is to store a refresh token that is valid for months or longer in the app.
This token being an opaque/bearer token that is sent over the wire when it’s used and stored in a location that the app can retrieve the whole token from. Which to me feel like the same issues why we usually want auth/session tokens to have a short life.
It occurs to me that the correct/secure way to do refresh tokens that last for a long duration would be to use public key cryptography and use platform native APIs to store keys in hardware backed keystores where available (WebCrypto’s non-extractable keys, Android’s hardware-backed keystore, keys in iOS’ Secure Enclave). So the app is not able to retrieve the contents of the private key.
However while this seems like the most secure way to implement long-term logins, I have not been able to find any reference to this being common in-practice or libraries that implement it.
So, am I off base with this train of thought? Or is the security of auth solutions used in-practice lacking? Or can anyone find libraries implementing this type of refresh key security, or at least companies that have deployed it.