Bearer tokens are the backbone of most online identity transactions. These include session cookies, OpenID Connect ID tokens and OAuth access tokens. While they work well for a majority of lower-risk use cases, a very sophisticated attacker could intercept and replay them, hijacking a valid session from a valid user.
Stolen tokens stand to become a larger problem as an increasing number of high-risk transactions, like voting and currency transfers, happen over the Internet. Such attacks have already occurred at Uber and other companies, and will become increasingly popular as we eliminate passwords.
“Stolen tokens may not seem bad today, and one reason for that is because it’s easier to steal passwords. Once we get rid of passwords (or materially reduce the usage of passwords) then I think we will see a focus on stealing tokens, and I sure as hell hope we have a good answer before that happens.”
—Jeff Richardson, SVP, Identity and Access Management, Bank of America
A standards body called the Internet Engineering Task Force (IETF) has developed a solid answer to the stolen token threat: a protocol called token binding. It would prevent this known vulnerability by enabling a bearer token to be cryptographically bound to the TLS connection between the client or browser and the consuming application. In this way, stolen tokens can’t be replayed by an attacker.
Token binding’s value proposition is unique in that it prevents the use of a token after a theft takes place, rather than trying to prevent the theft itself. It’s been in development and testing for years—and it works. It reliably and invisibly secures systems against increasingly common attacks.
But there’s a catch. In order for token binding to be widely adopted, it has to be supported by web browsers. Until recently, the team at Google Chrome was leading the way for this important standard with implementations of the draft standards still in development at the IETF. Surprisingly, however, Google stated its intent to remove support just as the draft standards are slated to become RFCs. Lack of adoption was cited as one reason to discontinue the support.
Meanwhile, Mozilla has expressed a willingness to include the standard in Firefox, but it hasn’t yet been a priority. Microsoft has firmly committed to supporting token binding across their platform, including the Edge and Internet Explorer browsers, but these browsers combined account for only 5% of worldwide usage. Apple has made no public statements about token binding.
This is a classic chicken and egg problem. Without browser support, we can’t have wide adoption, and without wide adoption, browser development teams are left to support an unused feature. The identity community needs to come together at this critical time in the future of security for the Internet. Unless we want this vulnerability to get worse and more pervasive, we must work together to adopt this important standard.
To learn more about token binding, watch the video from this year’s Identiverse. (If you want, skip ahead to 3:00 to go straight to the good stuff.)