Forum Discussion
CBA, MFA, and AADSTS54008 Certificate is not supported as first factor
SjoerdV have a look at CA token protection, this function will create a relationship between the token and device.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-token-protection
manshellstromOK, that is probably part of a road that could be taken. I do think for 'complete' E2E browsing security to be in place it should be covered on both server AND client sides.
The 'CA token protection' you mentioned is a server side feature, as the token needs to be validated and processed accordingly (by MS servers) to make a difference. It also (at the moment) has a lot of limitations, amongst which is cross-platform compatibility.
Browser makers (including Edge!) should not neglect their responsibility here and make their client side, in-rest/in-transit cookie/token handling more secure. As browsers always have access to their host system (or sandbox) a unique key can always be derived from such system on the fly, so the private keys used to decrypt an encrypted cookie DB (loaded into volatile memory) wouldn't even have to be stored locally.
Instant security with cross-platform compatibility to boot! Any browser should have this IMHO.