A personal device, such as a mobile phone, can be used to securely access personal information. Once a user has been authenticated, the user can continue to access the information. Because people generally retain physical possession of their phones, there is only limited risk that an unauthorized user will gain access to an authenticated phone and thereby access personal information of the phone's owner.
However, a phone has a small display and small input mechanism (e.g., keyboard or “soft” keyboard) and thus a phone may not be an optimal device for accessing personal information.
On the other hand, some shared devices, such as a television with a set-top box or a desktop computer, are better suited to viewing content. For example, it is much easier to view content on a 30 inch display than on a 3.5 inch display. The ease of viewing on a shared device, however, creates a different problem. Once the user has provided credentials to access personal information, the shared device may continue to provide access to the personal information, even when the user is no longer using the shared device. That is, subsequent users of the shared device may have access to the first user's personal information.
Disclosed implementations can utilize various authorization protocols, such as the OAuth 2.0 Authorization Protocol. Authorization protocols enable a user to share access to restricted resources without sharing the user's primary credentials. In some implementations, the protocol utilizes access tokens, which may be limited in time and/or scope. Although access tokens eliminate the need to share a user's credentials, authorization protocols such as OAuth 2.0 do not prevent a shared device from continuing to access personal information of a user after the user is no longer using the shared device (the access token is still valid).