Device Code Flow

From MgmtWiki
Revision as of 10:12, 24 April 2025 by Tom (talk | contribs) (Created page with "==Meme== ==Context== ==Problems== There's an article making the rounds about Device Code Flow with passkeys, with some click baitey statements around passkeys' phishing r...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Meme

Context

Problems

There's an article making the rounds about Device Code Flow with passkeys, with some click baitey statements around passkeys' phishing resistance being bypassed.

DCF is an inherently phishable end to end flow. Specifically the state transfer AFTER authenticating can be relayed. There is no change to the security or phishing resistant properties of a passkey or WebAuthn ceremony. The passkey is used between the user's authenticator and the RP. That remains strong and phishing resistant. Everything after that is problematic.

It shouldn't be used outside of low risk scenarios like linking a TV to a streaming account.

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Device_Code_Flow&oldid=23575"