Security by Design
Facebook X LinkedIn

Defending Cross-Device flows against Illicit Consent Grant Attacks

Combined Session
Thursday, May 11, 2023 17:50—18:10
Location: A 03-04

Cross device flows lets a user initiate an action on one device (e.g. a SmartTV) and authenticate or authorize that action on a trusted personal device (e.g. a mobile phone). Examples includes authorizing a smart TV to access streaming content, or authenticating to a service by scanning a QR code with a mobile phone and completing the authentication on the mobile phone. This process of authorizing an action on a separate (but trusted) device from the one on which an action is initiated is an increasingly common flow, whether used for devices with limited input capabilities, multi-factor authentication or credential presentation. A number of standards have adopted this pattern including Device Authorization Grant (formerly Device Code Flow), Client Initiated Backchannel Authentication (CIBA) and Self Issued OpenID Provider (SIOP). These flows solve important business problems, but is vulnerable to attacks where the user is tricked into granting consent to an attacker. The IETF OAuth working group has recognised this challenge and is creating new guidance that leverages zero-trust principles to defend against these "illicit consent grant" attacks. This session will discuss the attacks and how the new guidance can mitigate these threats against cross device flows.

Defending Cross-Device flows against Illicit Consent Grant Attacks
Event Recording
Defending Cross-Device flows against Illicit Consent Grant Attacks
Click here to watch the recording of this session. Please note that this video is only available to event participants and subscribers. You'll need to log in to watch it.
Defending Cross-Device flows against Illicit Consent Grant Attacks
Presentation deck
Defending Cross-Device flows against Illicit Consent Grant Attacks
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Pieter Kasselman
Pieter Kasselman
Microsoft
Pieter Kasselman is a member of Microsoft's Identity Standards team where he focus on developing standards to address the most important problems in the field of identity. Pieter has over 25 years'...
Subscribe for updates
Please provide your email address