Identity & Access Management , Security Operations
Google Proposes Method for Stopping Multifactor Runaround
Device Bound Session Credentials Tie Authentication Cookies to Specific ComputersGoogle is prototyping a method to stymie hackers who get around multifactor security by stealing authentication cookies from desktops in the hopes that the security feature becomes a web standard.
See Also: OnDemand | What’s Missing in Your Identity First Security Strategy?: Lessons from an ISMG Survey
The tech giant in a Tuesday blog post said it's testing a new capability it dubs Device Bound Session Credentials - cookies cryptographically bound to a desktop device that would be useless when used for account -hijacking attacks launched from a cybercrook's computer.
Google said its proposal for cryptographically tying authentication tokens to computers will succeed where previous attempts such as Token Binding failed.
One big difference Google points to is the growing number of computers with Trusted Platform Modules that serve as a hacker-resistant place to store encryption keys.
"By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value," said Google's Kristian Monsen, a member of Chrome's Counter Abuse team.
In a longer explanation in a GitHub repository, Google said it envisions the mechanism as an API for servers called at the start of each new browsing session. At the moment of login to a site, a server responds to the browser with a request for a public key, and the browser responds by generating a key pair created and stored by the TPM and sending the public key back to the web server.
Short-lived authentication cookies trigger the server to periodically ping the browser for a new cookie while still using the same session public key for authentication. Each session has its own key - and for privacy considerations, "it should not be possible to detect that different sessions are from the same device."
Cookie refresh traffic happens out of band from regular web traffic and occurs through a dedicated DBSC-defined endpoint on the website.
Google said Identity provider Okta and Edge browser maker Microsoft have shown interest.
"What Google is proposing is a good thing," said Patrick Harding, chief product architect at Ping Identity.
It builds on past efforts to stymie account-hijacking attacks that sought to tie tokens to devices to prevent their theft and reuse on other computers. A notable example, Token Binding, failed to gain traction because it relies on the Transport Layer Security - making its adoption difficult when web pages are delivered by content delivery networks and must pass through web application firewalls, Harding told Information Security Media Group.
Routing authentication through TPMs is a good way to draw even more hacker attention to finding their flaws, Harding said. But "moving to a TPM is vastly better than what we're currently doing, which is just storing these cookies in memory on the device."
Google's path to having this become a web standard likely lies in convincing the other major web browser makers - Apple, Microsoft and Mozilla - to support it.
"Once you get all the browsers adopting this, it's a standard, essentially," Harding said.