Difference between revisions of "Device Code Flow"
(Created page with "==Meme== ==Context== ==Problems== There's an article making the rounds about Device Code Flow with passkeys, with some click baitey statements around passkeys' phishing r...") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Meme== | ==Meme== | ||
| + | [[Device Code Flow]] is an authentication method used for devices that lack a traditional input interface, such as smart TVs, IoT devices, or printers. It allows users to authenticate on a separate device with a browser, making it ideal for scenarios where direct login isn't feasible. | ||
==Context== | ==Context== | ||
| + | Device Requests Authorization: The device generates a unique code and prompts the user to visit a verification URL on another device. | ||
| + | User Enters Code: The user accesses the URL on a phone or computer, enters the code, and logs in. | ||
| + | Device Receives Token: Once authentication is complete, the device obtains an access token, allowing it to interact with protected resources. | ||
| + | This flow is commonly used in Microsoft Entra ID and other identity platforms to enable secure authentication for constrained devices. | ||
==Problems== | ==Problems== | ||
| − | There's an article making the rounds about Device Code Flow with passkeys, with some click | + | There's an article making the rounds about Device Code Flow with passkeys, with some click-bait statements around passkeys' phishing resistance being bypassed. |
DCF is an inherently phishable end to end flow. Specifically the state transfer AFTER authenticating can be relayed. There is no change to the security or phishing resistant properties of a passkey or WebAuthn ceremony. The passkey is used between the user's authenticator and the RP. That remains strong and phishing resistant. Everything after that is problematic. | DCF is an inherently phishable end to end flow. Specifically the state transfer AFTER authenticating can be relayed. There is no change to the security or phishing resistant properties of a passkey or WebAuthn ceremony. The passkey is used between the user's authenticator and the RP. That remains strong and phishing resistant. Everything after that is problematic. | ||
Latest revision as of 10:28, 24 April 2025
Contents
Meme
Device Code Flow is an authentication method used for devices that lack a traditional input interface, such as smart TVs, IoT devices, or printers. It allows users to authenticate on a separate device with a browser, making it ideal for scenarios where direct login isn't feasible.
Context
Device Requests Authorization: The device generates a unique code and prompts the user to visit a verification URL on another device.
User Enters Code: The user accesses the URL on a phone or computer, enters the code, and logs in.
Device Receives Token: Once authentication is complete, the device obtains an access token, allowing it to interact with protected resources.
This flow is commonly used in Microsoft Entra ID and other identity platforms to enable secure authentication for constrained devices.
Problems
There's an article making the rounds about Device Code Flow with passkeys, with some click-bait statements around passkeys' phishing resistance being bypassed.
DCF is an inherently phishable end to end flow. Specifically the state transfer AFTER authenticating can be relayed. There is no change to the security or phishing resistant properties of a passkey or WebAuthn ceremony. The passkey is used between the user's authenticator and the RP. That remains strong and phishing resistant. Everything after that is problematic.
It shouldn't be used outside of low risk scenarios like linking a TV to a streaming account.
References
- See wiki page on Cross Device
