- From: Jeffrey Walton <noloader@gmail.com>
- Date: Sun, 2 Feb 2025 04:32:37 -0500
- To: public-webappsec@w3.org
Hi Everyone, Please forgive my ignorance... I was reading Device Bound Session Credentials, <https://github.com/w3c/webappsec-dbsc/blob/main/README.md>. I understand the main threat being addressed is account hijacking caused by cookie theft. The attacker egresses a cookie that allows the attacker to perform some actions as the user on another machine. My question is, for a high value transaction like transferring money, why wouldn't the site actively challenge the user with a (re)authentication? That is, ask them for another second factor, like an otp code or YubiKey keypress. Using the otp code or yubikey device (or other second factor) have the necessary security properties to thwart the attack (randomness, phishing resistance and replay resistance). Or maybe put another way, when should a site use Device Bound Session Credentials versus an Authentication Challenge? Jeff
Received on Sunday, 2 February 2025 09:33:21 UTC