> While Google implemented multiple mechanisms, like two-factor-authentication, to prevent hackers from compromising Google accounts, a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in.
What's the right fix here? Should auth tokens be ip-address-tied? How much will that break? Or would that not even fix it?
While it might be possible to strengthen the mechanism used to keep sessions, the best fix isn't necessarily on that front. They have root access to the device you're logged in with, so they can do whatever they want with your current sessions. Auth tokens actually limit the damage by being expirable and being insufficient to perform a new login.
I'm not sure what the solution is, but my worry with tying to an IP address is the mobile setting where I may transition from work wifi to bus wifi to home wifi, with a mobile carrier in between all of those steps.
Maybe something like a device ID, although I assume that that can be easily stolen and spoofed.
Would this mean that the token is only good for the duration of the connection though? Most apps on mobile hold tokens that ~never expire (iirc I've never had to re-auth the Gmail app.)
What's the right fix here? Should auth tokens be ip-address-tied? How much will that break? Or would that not even fix it?