When RapID-SL authenticates, it simply authorises a WordPress logon directly with a cryptographic signature that the plugin verifies directly. Unlike Clef, there is no reliance on an external authentication service, which improves privacy and reliability.
Once the RapID-SL user has authenticated and logged in to the site, they are then under the ‘session time out’ control of the individual WordPress site.
We appreciate that it would be useful for the user to revoke a session from within the app. This is a great suggestion and something we will seriously consider.
I don’t think that using its own cookies would work unfortunately – cookies are locked to a specific website and, to preserve privacy and avoid a single point of vulnerability, RapID uses a different authenticator for each site. (i.e. each site only trusts certificates issued by itself and the app has a secret key and certificate for every site you enrol).