720-891-1663

Return to Client Alerts

Assuming this works, it is very creative. In a geeky sort of way.

One way that attackers get around multifactor authentication is to steal “session cookies”. Since the web inherently doesn’t have the concept of users having sessions, years ago developers came up with a way to tie multiple requests together into sessions. They do it by creating a session via cookies and passing the cookie back to the server every time you have a new request. The bad guys have figured out that if they can steal those cookies they can impersonate the cookie owner and it works really well. If they do that, the server thinks you are already logged in and gives you a free pass. There have been many attempts at securing these cookies, but the hackers have figured out a way around that too. The technique has been used on many attacks successfully.

Google is suggesting a way to tie the cookie to only one single computer so that if it gets stolen it is useless.

They plan to do this using public key encryption and the security processor in PCs called the Trusted Platform Module. While nothing is perfect and if quantum computing happens, the encryption method will have to change, but beyond that, it seems pretty workable. The concept requires a separate communication between the user and the server that is outside the normal website communications. Google has figured all of this out.

More interestingly, Google says that Microsoft is interested, as is Okta. Google would like to make this a standard since, if they are the only ones using it, it doesn’t have much value.

If Google can convince the PC browser makers to sign on to this then even Apple will be forced to adopt it, even though they don’t seem to like anything they did not invent.

Stay tuned and hope that Google and Microsoft can play nice together.

Credit: Data Breach Today