BROWSERAUTH.ORG

This site is dedicated to documenting proposals for stronger web authentication mechanisms. Underlying all the proposals is the idea that asymmetric-key cryptography should replace bearer tokens as the main mechanism for authentication on the web... A bearer token is a secret that is sent from the client to the server in order to authenticate the client. The token itself asserts the identity of the client independent of the context. Examples of bearer tokens are HTTP cookies and account passwords. Both are sent directly from the client (the browser) to the server. As a consequence, whoever manages to intercept or steal a bearer token will be able to impersonate legitimate clients. For example, stolen or phished passwords can be used to impersonate legitimate users. Stolen cookies can be used to impersonate legitimate browsing sessions.