Device Code Flow

From MgmtWiki
Revision as of 10:25, 24 April 2025 by Tom (talk | contribs) (Meme)

Jump to: navigation, search

Meme

Device Code Flow is an authentication method used for devices that lack a traditional input interface, such as smart TVs, IoT devices, or printers. It allows users to authenticate on a separate device with a browser, making it ideal for scenarios where direct login isn't feasible.

Context

Problems

There's an article making the rounds about Device Code Flow with passkeys, with some click baitey statements around passkeys' phishing resistance being bypassed.

DCF is an inherently phishable end to end flow. Specifically the state transfer AFTER authenticating can be relayed. There is no change to the security or phishing resistant properties of a passkey or WebAuthn ceremony. The passkey is used between the user's authenticator and the RP. That remains strong and phishing resistant. Everything after that is problematic.

It shouldn't be used outside of low risk scenarios like linking a TV to a streaming account.

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Device_Code_Flow&oldid=23576"