Google Proposes Method for Stopping Multifactor Runaround

/in

Google recognizes that cookie theft poses a significant challenge for users and is actively working on a solution to mitigate it. They propose a mechanism called Device Bound Session Credentials (DBSC), which aims to tie authentication data to a specific device, rendering stolen cookies ineffective.

Cookies remain a common method for websites to store session information locally, enabling users to stay signed in and retain site preferences. However, malicious software can target cookies, extracting them from a user’s device and transmitting them to remote attackers for potential unauthorized access to user data.

Google’s DBSC initiative involves employing cryptographic keys to associate sessions with individual devices. This process involves generating a unique public/private key pair locally on the device, with the private key securely stored by the operating system, possibly leveraging hardware features like Trusted Platform Module (TPM) for enhanced security.

The DBSC API facilitates the association of sessions with the generated public key, allowing periodic refreshment of sessions with cryptographic proof of device binding. This verification occurs separately from regular web traffic and only when the user is actively engaged in the session.

Google emphasizes privacy protection, ensuring that each session is linked to a distinct key and preventing sites from correlating keys across different sessions on the same device. Only the per-session public key is transmitted to the server for proof of key possession.

Initial adoption of DBSC is expected to cover approximately half of desktop users, dependent on hardware capabilities like TPM availability. Google contemplates extending support to software-based keys for broader user coverage and compatibility.

To encourage widespread adoption, Google is collaborating with industry stakeholders, including identity providers and potentially Microsoft for integration into its Edge browser. The project is being developed openly on GitHub with the intention of establishing an open web standard.

DBSC aligns with Google’s strategy of phasing out third-party cookies in Chrome. Early experiments are underway to protect Google Account users in Chrome Beta, with plans to extend the technology to Google Workspace and Google Cloud customers for enhanced account security.

This initiative draws parallels to Intel’s past attempt with Processor Serial Number (PSN) for tracking, which faced backlash and discontinuation due to privacy concerns. However, Google aims to address privacy issues and gain broader industry support for DBSC as a standardized security measure.