Hi Dossy, Indeed - I think we both agree that it's an education issue. I can see why you wouldn't want to deauthorise all tokens automatically - but I'd certainly have it as an option. After all, you can't possibly know which site has been used with a compromised password (unless it's the only one you haven't personally authorised). At any rate - I'd put the option on the same screen as password reset in order to educate users. Thanks for the comments T