Hi All Following on from the discussions at IETF 113, the OAuth Security Workshop, Identiverse and IETF 114, Daniel, Filip and I created a draft document capturing some of the attacks that we are seeing on cross device flows, including Device Authorization Grant (aka Device Code Flow).
These attacks exploit the unauthenticated channel between devices to trick users into granting authorization by using social engineering techniques to change the context in which authorization is requested. The purpose of the document is to serve as guidance on best practices when designing and implementing scenarios that require cross device flows. We would appreciate any feedback or comments on the document, or any other mitigations or techniques that can be used to mitigate these attacks. Links to the documents are below. We also hope to discuss this at IETF 115 in London in a few weeks' time. ----------------------------------------------------------------------------------------------------- A new version of I-D, draft-kasselman-cross-device-security-00.txt has been successfully submitted by Pieter Kasselman and posted to the IETF repository. Name: draft-kasselman-cross-device-security Revision: 00 Title: Cross Device Flows: Security Best Current Practice Document date: 2022-10-19 Group: Individual Submission Pages: 25 URL: https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt Status: https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt Html: https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.html Htmlized: https://datatracker.ietf.org/doc/html/draft-kasselman-cross-device-security Abstract: This document describes threats against cross-device flows along with near term mitigations, protocol selection guidance and the analytical tools needed to evaluate the effectiveness of these mitigations. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF Secretariat _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth