Accurate-enough (sub-second in my case) timing of events + physical proximity (both your browser and the app ask for your location) = a near guarantee that your browser session + your phone is a unique pair. It also asks for confirmation on both the phone and browser to pair the first time.
There's no real chance of this being man-in-the-middled since you have to confirm on both devices. And they're being intelligent about it - I just tried it with two laptops at once, and you get "someone's device" instead of the name of your iThing, and your iThing says "please try again" like this: http://cl.ly/1O33430M0i2c0i2T0z2U
Once you've approved, they have a browser + app pair of cookies for future pairings (not really exploitable, as it runs over https), which strengthens the single-pair guarantee to the point where it's about as good as it gets in any security model.
>* Exactly what's keeping the cookie on the browser and the phone from being copied?*
SSL. Either you trust it or you don't. Similarly, either you trust the CAs to work (preventing a real MITM on https traffic) or you don't. Which makes this as secure as your banking site, except for the initial pairing, which I dare say they do more safely than any bank I've seen.
There's no real chance of this being man-in-the-middled since you have to confirm on both devices. And they're being intelligent about it - I just tried it with two laptops at once, and you get "someone's device" instead of the name of your iThing, and your iThing says "please try again" like this: http://cl.ly/1O33430M0i2c0i2T0z2U
Once you've approved, they have a browser + app pair of cookies for future pairings (not really exploitable, as it runs over https), which strengthens the single-pair guarantee to the point where it's about as good as it gets in any security model.