Difference between revisions of "Device Code Flow"
(Created page with "==Meme== ==Context== ==Problems== There's an article making the rounds about Device Code Flow with passkeys, with some click baitey statements around passkeys' phishing r...") |
(→Meme) |
||
| Line 1: | Line 1: | ||
==Meme== | ==Meme== | ||
| + | [[Device Code Flow]] is an authentication method used for devices that lack a traditional input interface, such as smart TVs, IoT devices, or printers. It allows users to authenticate on a separate device with a browser, making it ideal for scenarios where direct login isn't feasible. | ||
==Context== | ==Context== | ||
Revision as of 10:25, 24 April 2025
Contents
Meme
Device Code Flow is an authentication method used for devices that lack a traditional input interface, such as smart TVs, IoT devices, or printers. It allows users to authenticate on a separate device with a browser, making it ideal for scenarios where direct login isn't feasible.
Context
Problems
There's an article making the rounds about Device Code Flow with passkeys, with some click baitey statements around passkeys' phishing resistance being bypassed.
DCF is an inherently phishable end to end flow. Specifically the state transfer AFTER authenticating can be relayed. There is no change to the security or phishing resistant properties of a passkey or WebAuthn ceremony. The passkey is used between the user's authenticator and the RP. That remains strong and phishing resistant. Everything after that is problematic.
It shouldn't be used outside of low risk scenarios like linking a TV to a streaming account.
References
- See wiki page on Cross Device
