September 13, 2018

FIDO TechNote: The Growing Role of Token Binding

FIDO specifications are part of a community of interlinking specifications. FIDO Authentication depends on specifications from the World Wide Web Consortium (W3C), Internet Engineering Task Force (IETF) and others to define how secure authentication should work. We are excited to announce that one of the specifications that the FIDO Alliance has long been anticipating has made a very important step forward: the IETF Token Binding specification has been sent to the IETF editor, which means that it is one step away from being published as a final standard.

Token Binding has been included in the FIDO specifications as an important security measure. Token Binding cryptographically ties a token to a host, ensuring that the server knows that it’s talking to the right browser. Some of the uses for this are to ensure that cookies can’t be stolen, sessions can’t be hijacked and OAuth bearer tokens can’t be repurposed.

One of the most important security aspects of FIDO specifications is their cryptographic assertion of the origin: the protocol, server DNS, and port that describe the server that is requesting authentication – for example, “http://fidoalliance.org.” FIDO authenticators sign over the origin with an associated private key – this is how the FIDO Alliance accomplishes its anti-phishing mission. Token Binding is part of the protections of the origin because it ensures that the origin can’t be spoofed. For example, even if an attacker were to hijack a DNS server, redirect all traffic to “fidoalliance.org” to their own nefarious servers, and authenticate to clients as “fidoalliance.org” (assuming they also somehow obtained a valid TLS certificate for that domain), the Token Binding protocol would detect this “man-in-the-middle” between the client and the real “fidoalliance.org.”

Although Token Binding is important to the FIDO specifications, it has been optional so far – mostly because the specification wasn’t complete and adoption is still picking up. The completion of the Token Binding specification is an exciting opportunity for its adoption. Seeing Edge and Chrome support Token Binding is an important step to seeing broad ecosystem adoption of this new security standard.

We look forward to seeing more future adoption of Token Binding by other browser vendors. Similar to its inclusion as an advanced security measure in FIDO specifications, Token Binding has been included in the OpenID Connect Enhanced Authentication Profile (OIDC EAP), where Token Binding and FIDO sit side-by-side in OIDC’s vision for a future of strong authentication. Token Binding will also serve an important role in the U.S. government’s identity and authentication standards, including NIST SP 800-63-3, where it is required for verifier impersonation resistance. As with all standards, the road will be long to see adoption and implementations, but we are looking forward to the day Token Binding has enough industry adoption for it to become a mandatory part of the FIDO specifications.

FIDO TechNotes highlight aspects of the FIDO specifications that are important for practitioners to understand. TechNotes shed light on architectural choices, explain best practices, and give guidance to deployers of the technology. TechNotes are part of an on-going series featuring the technology and evolution of the FIDO Alliance.

MORE Buying, Building & Partnering

Download Specs