One of the biggest holes on the Internet has just been plugged

Thank Microsoft and Google for working together on this

We increasingly live in a digital world where we identify ourselves once and then receive an authorization token. This token can then be passed to trusted services, and where the user does not have to be re-authenticated.

It is a well-known secret that OAuth and other token-based systems have a massive problem — and where an authentication token can be stolen and then used for a replay attack.

It is well known that there are problems within security token replay. And so Microsoft and Google have collaborated in creating RFC 8471 (The Token Binding Protocol Version 1.0):

Overall it aims to remove the token replay:

At the core of the change is that the token is created with the details of the device or the device’s configuration integrated into the token. This makes it difficult to recreate the device conditions in…