Hi Pieter / Daniel / Filip It’s great to see this document moving forward.
I may have missed it, but it may be worth being move explicit that one solution is to avoid using cross-device flows for same-device scenarios? It’s sort of obvious, but questions like “well CIBA works for both cross-device and same-device, can’t I save myself effort by only implementing CIBA and not bothering with standard redirect-based OAuth flows?” are commonly asked. Also, in this text: "If FIDO2/WebAuthn support is not available, Channel Initiated Backchannel Authentication (CIBA) provides an alternative, provided that the underlying devices can receive push notifications.” It might be best to use a term other than ‘push notifications’ there or otherwise rewording this, as there are alternatives. e.g. I think there’s at least one CIBA implementation out there that can use email to notify the user of an authorization request. Thanks Joseph > On 19 Oct 2022, at 15:55, Pieter Kasselman > <pieter.kasselman=40microsoft....@dmarc.ietf.org> wrote: > > Hi All > > Following on from the discussions at IETF 113, the OAuth Security Workshop, > Identiverse and IETF 114, Daniel, Filip and I created a draft document > capturing some of the attacks that we are seeing on cross device flows, > including Device Authorization Grant (aka Device Code Flow). > > These attacks exploit the unauthenticated channel between devices to trick > users into granting authorization by using social engineering techniques to > change the context in which authorization is requested. > > The purpose of the document is to serve as guidance on best practices when > designing and implementing scenarios that require cross device flows. We > would appreciate any feedback or comments on the document, or any other > mitigations or techniques that can be used to mitigate these attacks. Links > to the documents are below. We also hope to discuss this at IETF 115 in > London in a few weeks' time. > > ----------------------------------------------------------------------------------------------------- > A new version of I-D, draft-kasselman-cross-device-security-00.txt > has been successfully submitted by Pieter Kasselman and posted to the IETF > repository. > > Name: draft-kasselman-cross-device-security > Revision: 00 > Title: Cross Device Flows: Security Best Current Practice > Document date: 2022-10-19 > Group: Individual Submission > Pages: 25 > URL: > https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt > Status: > https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt > Html: > https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.html > Htmlized: > https://datatracker.ietf.org/doc/html/draft-kasselman-cross-device-security > > > Abstract: > This document describes threats against cross-device flows along with > near term mitigations, protocol selection guidance and the analytical > tools needed to evaluate the effectiveness of these mitigations. It > serves as a security guide to system designers, architects, product > managers, security specialists, fraud analysts and engineers > implementing cross-device flows. > > > > > The IETF Secretariat > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth