Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> While Google implemented multiple mechanisms, like two-factor-authentication, to prevent hackers from compromising Google accounts, a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in.

What's the right fix here? Should auth tokens be ip-address-tied? How much will that break? Or would that not even fix it?



While it might be possible to strengthen the mechanism used to keep sessions, the best fix isn't necessarily on that front. They have root access to the device you're logged in with, so they can do whatever they want with your current sessions. Auth tokens actually limit the damage by being expirable and being insufficient to perform a new login.


I'm not sure what the solution is, but my worry with tying to an IP address is the mobile setting where I may transition from work wifi to bus wifi to home wifi, with a mobile carrier in between all of those steps.

Maybe something like a device ID, although I assume that that can be easily stolen and spoofed.


I'm not sure what the right solution is, but tying tokens to IP addresses is probably not workable.

Better mechanisms for protecting tokens stored on the device seems like the only way to reasonably improve this situation.


Token binding would solve this by binding OAuth tokens to TLS connections, so they can't be used even if stolen: https://tools.ietf.org/html/draft-jones-oauth-token-binding-...


Would this mean that the token is only good for the duration of the connection though? Most apps on mobile hold tokens that ~never expire (iirc I've never had to re-auth the Gmail app.)


> Should auth tokens be ip-address-tied?

Won't fix the problem when there's malware on the same device that the auth token was stolen from...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: