Security by Design
Facebook Twitter LinkedIn

Defending Cross-Device flows against Illicit Consent Grant Attacks

Combined Session
Thursday, May 11, 2023 17:50—18:10

Cross device flows lets a user initiate an action on one device (e.g. a SmartTV) and authenticate or authorize that action on a trusted personal device (e.g. a mobile phone). Examples includes authorizing a smart TV to access streaming content, or authenticating to a service by scanning a QR code with a mobile phone and completing the authentication on the mobile phone. This process of authorizing an action on a separate (but trusted) device from the one on which an action is initiated is an increasingly common flow, whether used for devices with limited input capabilities, multi-factor authentication or credential presentation. A number of standards have adopted this pattern including Device Authorization Grant (formerly Device Code Flow), Client Initiated Backchannel Authentication (CIBA) and Self Issued OpenID Provider (SIOP). These flows solve important business problems, but is vulnerable to attacks where the user is tricked into granting consent to an attacker. The IETF OAuth working group has recognised this challenge and is creating new guidance that leverages zero-trust principles to defend against these "illicit consent grant" attacks. This session will discuss the attacks and how the new guidance can mitigate these threats against cross device flows.

Pieter Kasselman
Pieter Kasselman
Microsoft
Pieter Kasselman is a member of Microsoft's Identity Standards team where he focus on developing standards to address the most important problems in the field of identity. Pieter has over 25 years'...

Tickets

Hybrid Ticket
Experience the full conference
€1300
€2500
till March 31st
Whole conference (May 09-12, 2023)
Choose if you want to attend on-site or participate online
Access to live sessions, expo-area & networking events on-site
Access to online event platform to view live- & online streams
Access to the virtual expo area
(Video-) Chat and interact with all attendees on-site and online
Virtual Ticket
Full virtual experience
€700
€1300
till March 31st
Whole conference (May 09-12, 2023) online
Access to online event platform to view live streams
Access to the virtual expo area
(Video-) Chat and interact with all attendees on-site and online
Have you participated in our events?
Contact us to get a special discount
Other ways to attend
Young Talents -
student program
Register and apply
Journalists &
Bloggers
Confirm press accreditation
Subscribe for updates
Please provide your email address