Best current Practices for Cross-Device Flows

Cross-device flows enable a user to initiate an authorization flow on one device (the initiating device) and then use a second, personally trusted, device (authorization device) to authorize access to a resource (e.g., access to a service).

These flows are increasingly popular and typically involve using a mobile phone to scan a QR code or enter a user code displayed on an initiating device (e.g., Smart TV, Kiosk, Personal Computer etc).

The above is an excerpt from a new IETF “Best current practice” draft about Cross-Device Flows.

IdentityServer implements both the OAuth 2.0 Device Authorization Grant (RFC 8628) as well as the OpenID Connect Client-Initiated Backchannel Authentication (CIBA).

While both protocols can be used for cross-device flows, they have different security properties.

Further:

The channel between the initiating device and the authorization device is unauthenticated and relies on the user’s judgment to decide whether to trust a QR code, user code, or the authorization request pushed to their authorization device.

Several publications have emerged in the public domain, describing how the unauthenticated channel can be exploited using social engineering techniques borrowed from phishing. Unlike traditional phishing attacks, these attacks don’t harvest credentials. Instead, they skip the step of collecting credentials by persuading users to grant authorization using their authorization devices."

If you have an existing or planned deployment of a cross device flow, we highly recommend reading this paper. It contains lots of practical information and helps with protocol selection.

We are happy to help you with your security architecture and IdentityServer implementation. Feel free to contact us.