How to tie an authorisation token to a device?
When a user signs in they receive a authorisation token that is then sent along with each subsequent request to authorise the user, and the token is refreshed every server call or once per minute. I heard about attacks where the tokens were stolen and used by an attacker and that one way to mitigate this attack is to tie the token to the device. So what are some secure ways of tying the token to a device without inconveniencing the users?
For example using the IP address isn't optimal since users might want to switch between different networks without being signed out. And using the User-Agent doesn't seem as secure since attackers might know or be able to guess it and copy, but maybe I'm wrong about that.
Edit:
The question Browser session cookies stolen/copied to another PC, why websites not smart enough prevent it? tackles the same issue but is more about why to bind the session rather than how it could be done.
