One Article Review
| Source |  Schneier on Security |
|---|---|
| Identifiant | 8649033 |
| Date de publication | 2025-02-19 15:07:50 (vue: 2025-02-19 18:07:58) |
| Titre | Device Code Phishing |
| Texte | This isn’t new, but it’s increasingly popular:
The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms.
Rather than authenticating the user directly, the input-constrained device displays an alphabetic or alphanumeric device code along with a link associated with the user account. The user opens the link on a computer or other device that’s easier to sign in with and enters the code. The remote server then sends a token to the input-constrained device that logs it into the account...
This isn’t new, but it’s increasingly popular: The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms. Rather than authenticating the user directly, the input-constrained device displays an alphabetic or alphanumeric device code along with a link associated with the user account. The user opens the link on a computer or other device that’s easier to sign in with and enters the code. The remote server then sends a token to the input-constrained device that logs it into the account... |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | “device account accounts along alphabetic alphanumeric associated authenticating authentication browsers but code computer constrained designed device devices difficult directly displays don’t easier entering enters exploits factor flow form formalized forms increasingly industry input isn’t it’s known link logging logs making mechanisms more names new oauth opens other passwords phishing popular: printers rather remote sends server sign similar smart standard such support technique than that’s then these through token tvs two typically user using wide |
| Tags | |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.