Forum Discussion
CBA, MFA, and AADSTS54008 Certificate is not supported as first factor
This way it worked first cba snd than numner matching from passwordless sign in 🙂
To top it of I also use a 'Location based' CA rule, so even when my full browser profile gets hijacked (including session tokens) it won't work, off my private network.
Still I would like to see browsers encrypting their cookie database with some machine specific key, to make the cookies not work if they are used on a different machine. It feels very strange this massive security hole has gone unplugged for so long...
Cheers!
manshellstromOK, that is probably part of a road that could be taken. I do think for 'complete' E2E browsing security to be in place it should be covered on both server AND client sides.
The 'CA token protection' you mentioned is a server side feature, as the token needs to be validated and processed accordingly (by MS servers) to make a difference. It also (at the moment) has a lot of limitations, amongst which is cross-platform compatibility.
Browser makers (including Edge!) should not neglect their responsibility here and make their client side, in-rest/in-transit cookie/token handling more secure. As browsers always have access to their host system (or sandbox) a unique key can always be derived from such system on the fly, so the private keys used to decrypt an encrypted cookie DB (loaded into volatile memory) wouldn't even have to be stored locally.
Instant security with cross-platform compatibility to boot! Any browser should have this IMHO.
SjoerdV have a look at CA token protection, this function will create a relationship between the token and device.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-token-protection
