In the evolving landscape of cyber security and identity, Yahoo adopted the use of transaction tokens to enhance the security of user data, and mitigate risks associated with traditional authorization models. This presentation will delve into the concept of transaction tokens, why we implemented them at scale, and the security benefits they offer. By replacing cookies and access tokens with short-lived, encrypted JWT tokens, Yahoo aims to reduce vulnerabilities such as internal cookie exposure, replay attacks, and server-side request forgery. The session will provide a comprehensive overview of the end-to-end solution, use cases, and the lessons learned during the adoption journey. We will cover the following key areas:

• An overview of Yahoo's current authorization model, and the security gaps identified.
• What are Transaction Tokens?: Definition, structure, and comparison with existing authorization methods.
• How Transaction Tokens Work: Detailed explanation of the end-to-end solution, including the process of obtaining and verifying transaction tokens.
• Use Cases and benefits: Practical applications in different services, highlighting the reduction of security risks.
• Implementation and integration: Steps for integrating transaction tokens, including the development of validation libraries and transition plans.
• Challenges and solutions: Addressing potential challenges, and strategies for a smooth rollout.

PowerPoint PDF