Protecting user sessions after strong authentication - an overview of modern session-to-device binding technologies suitable for both browsers and mobile applications. 

It is great to have a phishing resistant technology like FIDO2 Passkeys to protect user accounts during authentication. However, one might ask about post authentication - what can be used to protect access tokens and session cookies?  As we may already be aware, broken access control has climbed to the number one spot in the OWASP top ten list.  Session hijacking is a growing initial attack vector for online fraud and account takeover. The theft and re-use of "bearer" tokens have become more prevalent as passkeys increasingly gain adoptions in the industry.  Fortunately, there are newly introduced complimentary technologies such as Device Bound Session Credential (DBSC) and Demonstrate Proof of Possession (DPoP) that will help combatting the post authentication attacks.  Together with FIDO2 passkeys, these technologies provide a solution to protect the overall online credential ecosystem. 

Come join An and Shane to learn more about the complimentary technologies and take charge to implement a more secure solution to protect your enterprise online credentials!