Skip to content

CONCEPT Cited by 1 source

Origin-bound credential

Definition

An origin-bound credential is an authentication credential that is cryptographically tied to the web origin — the (scheme, host, port) tuple — it was registered against. The authenticator refuses to produce a valid assertion for any other origin, regardless of what the user intends or what the current page asks for.

The in-production realisation on the web is FIDO2 / WebAuthn / Passkeys: when the user registers, the authenticator stores a private key scoped to the origin; when the user authenticates, the browser's WebAuthn API passes the current origin into the challenge the authenticator signs; the relying party server only accepts assertions whose embedded origin matches its own.

Why it matters — the reverse-proxy phishing model

Modern phishing kits (evilginx, Modlishka, Muraena, and their commercial descendants) are reverse proxies, not static credential-stealing pages. The flow is:

Victim browser ──→ phish.com (reverse proxy) ──→ real-site.com
                        │                             │
                   captures cookies,                  │
                   session tokens,                    │
                   any OTP the user types             │

Password + TOTP + SMS-OTP + push-notification-approval are all replayable through a reverse proxy, because none of them bind to the origin. The user types an OTP in phish.com, the proxy forwards it within the 30-second window to real-site.com, and the attacker harvests the resulting session.

Origin-bound credentials break this flow because the browser- side authenticator inspects the origin it was actually served from, not the origin the proxy pretends to be. If WebAuthn is asked to authenticate against phish.com, it will happily produce an assertion — but that assertion is for phish.com, not for real-site.com, and real-site.com will reject it.

Cf. Fly.io's 2025-10-08 postmortem:

"Phishing-resistant authentication works by mutual authentication (or, if you're a stickler, by origin- and channel-binding). Phishes are malicious proxies for credentials. Modern MFA schemes like FIDO2 break that proxy flow; your browser won't send real credentials to the fake site." (Source: sources/2025-10-08-flyio-kurt-got-got)

Origin binding vs channel binding

  • Origin binding is the minimum — the signed challenge includes the origin.
  • Channel binding additionally includes a fingerprint of the TLS connection itself (typically the exported keying material or a hash of the certificate). This defeats attacks where the attacker somehow manages to appear to be on the right origin but over a different TLS connection.

For the common web-phishing threat model, origin binding alone is sufficient. Channel binding is the stricter form for higher-assurance deployments.

Why humans can't do this themselves

  • Lookalike domains defeat visual inspection. Fly.io's phish used members-x.com, which is not x.com but is plausible enough under a CEO glance. Kurt explicitly notes: "'x.com' is an extremely phishable domain." One-character, short, generic domain names have almost no visual entropy to differentiate.
  • Homoglyph attacks (using Unicode characters that look like Latin letters) defeat even careful inspection.
  • Subdomain attacks (x.com.attacker.example) exploit users who read the first few characters and stop.

Machine-enforced origin binding side-steps all of these. The browser has the actual origin string; the authenticator signs over it; the server compares byte-for-byte.

Seen in

  • Fly.io Kurt Got Got (2025-10-08) — canonical wiki instance. Names the origin- and channel-binding mechanism explicitly as the reason FIDO2 defeats phishing; narrates the manual-copy-paste into lookalike members-x.com as exactly the flow origin-binding would have defeated (sources/2025-10-08-flyio-kurt-got-got).
  • Cloudflare EmDash (2026-04-01) — passkey-by-default relies on origin binding; "the passkey is bound to the domain (origin) it was registered against. A phishing site at a different origin simply cannot prompt the authenticator to sign a challenge for the real origin." (sources/2026-04-01-cloudflare-emdash-wordpress-spiritual-successor)
Last updated · 517 distilled / 1,221 read