Comment by mrweasel
2 years ago
But would you not get a "A new device has accessed your account" warning? Or it that skipped because the token is already validated?
2 years ago
But would you not get a "A new device has accessed your account" warning? Or it that skipped because the token is already validated?
No. A bearer token (which almost all credentials are) doesn't say anything about the device that is using it.
The sole exception are tokens tied to a device's HSM (TPM, Secure Enclave, TrustZone, ...) - you can't clone these onto another device.
ETA: to expand a bit... passwords, SSL client certificates, JWTs, tokens generated after a SAML assertion, they are all fungible bearer tokens. A server has no way of verifying if what is presented to him is originating as an intentional act of a user, or if a malicious third party has duplicated the token somehow and is using it from somewhere else. An attacker can act just the same as the user themselves can. A HSM-backed token, i.e. having the server send a preflight challenge value, and the client HSM signing that challenge together with the token to send back with the actual request, at least proves that the request originated from the device expected to be in control of the user. However, such a scheme comes at a high cost - the user needs to be in possession of a capable device, the HSM needs to be secure, and doing preflight requests to obtain the challenge adds considerable latency.
I didn't get such warning when I connected Outlook to my Gmail.
But I had to click accept on the Google form requesting my permission to grant Outlook access. So I was informed when the app was connected.
I'm not sure how you would count "new device", since that token is going to be used by a random Microsoft cloud server, potentially different every time.