Why use a refresh token for authentication?

Question

I recently stumbled upon this article which recommends using two tokens for authentication.

Once the user is logged-in (or registered), the client receives an access token and a refresh token, and gets transitioned to the protected scene.

The access token is a credential valid for 1 hour, used to access the protected content from the server API. When it expires, the client uses the refresh token to obtain a new access token. The refresh token is valid for 90 days [...]

I'm guessing using two tokens is a security measure, but I can't imagine how it makes the system any safer. Wouldn't it be equally secure if there was only one token, valid for 90 days, which is used as the access token? What are the benefits of using another token?

That question is about two-factor authentication when the user has 2 ways to prove their identity and they have to use both. This question is about computer-generated tokens that the client application handles, and if an attacker had one of them (refresh), they could generate the other (access). I don't think they are the same. — Reinis Mazeiks, Nov 25 '19 at 12:29
See https://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens — mti2935, Nov 25 '19 at 12:31
If you search here for "refresh tokens" there are multiple questions with answers that might help you that might serve as duplicates. — schroeder, Nov 25 '19 at 12:36
Possible duplicate of [Two-Factor Authentication: When is it worth it?](https://security.stackexchange.com/questions/24652/two-factor-authentication-when-is-it-worth-it) — , Nov 27 '19 at 20:47
@MechMK1 someone already suggested that (and deleted their comment after I replied to it, see above). https://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens is a much better candidate i think. — Reinis Mazeiks, Nov 28 '19 at 16:02

Why use a refresh token for authentication?

0 Answers0