FIDO Submits Token Binding Specification to IETF Editor

“…token binding is already being adopted by Google and Microsoft in their Chrome and Edge browsers, that is has been included in the OpenID Connect Enhanced Authentication Profile, and that it’s coming to US government authentication standards including NIST SP 800-63-3.”

An important security specification developed by the FIDO Alliance is close to becoming finalized.FIDO Submits Token Binding Specification to IETF Editor

The IETF Token Binding specification essentially revolves around how a given security token is cryptographically tied to a given host. That enables a server to ensure that it’s communicating with the correct browser during an authentication session. And that, in turn, helps “to ensure that cookies can’t be stolen, sessions can’t be hijacked and OAuth bearer tokens can’t be repurposed,” as FIDO explained in a post on its website.

Token binding is already an important part of FIDO’s specifications, but it has so far been optional and relatively limited adoption. Now, however, the IETF Token Binding specification has been sent to the Internet Engineering Task Force editor, which, as FIDO says, “means that it is one step away from being published as a final standard.” This presents “an exciting opportunity for its adoption,” FIDO says.

The FIDO Alliance adds that token binding is already being adopted by Google and Microsoft in their Chrome and Edge browsers, that is has been included in the OpenID Connect Enhanced Authentication Profile, and that it’s coming to US government authentication standards including NIST SP 800-63-3. That all points to a growing role for token binding across a range of security applications.