Risk Mitigation for Cross Device Flows скачать в хорошем качестве

Risk Mitigation for Cross Device Flows

Presented by Pieter Kasselmann at the OAuth Security Workshop 2021 Cross device flows allows users to initiate an action on one device and then authenticate or authorize that action on a trusted device like a mobile phone. An example of this includes authorizing a smart TV to access streaming content, or authenticating to a service by scanning a QR code with a mobile phone. This process of authorizing an action on a separate (but trusted) device from the one on which an action is initiated is an increasingly common flow, whether used for devices with limited input capabilities, multi-factor authentication or credential presentation. Reflecting the popularity of these flows, a number of standards support it, including Device Authorization Grant (formerly Device Code Flow (DCF)), Client Initiated Backchannel Authentication (CIBA) and Self Issued OpenID Provider (SIOP). However, despite existing implementation guidance and mitigations, attackers are able to exploit these standards based flows using phishing and other social engineering attacks, which allows them to gain access to customer systems and data. The purpose of this session is to start the conversation on additional risk mitigations to secure cross device flows while still allowing users to initiate an action on one device and then authenticate and authorize that action on a separate trusted device.