Preventing token theft
Summary
The article surveys token theft vectors from stored tokens and browser cookies, detailing how malware can exfiltrate tokens and bypass MFA. It reviews various TLS and token-binding approaches (mutual TLS, channel IDs, DPoP, device-bound credentials) and discusses their deployment challenges and privacy implications, concluding that token theft remains a persistent risk, with Chrome's device-bound cookies offering a practical improvement. It also critiques the practicality and limitations of several proposed standards.