Speakers: Nick Ludwig – Microsoft & Pieter Kasselman – Microsoft
Date: Thursday, June 1, 2023
Location: ARIA Resort & Casino | Las Vegas, NV

Description: Initiating an action on one device, such as a Smart TV, and authorising access on another device, such as a mobile phone, is increasingly popular. These cross-device flows provide a convenient and cost effective way to use a personally trusted device to authorize access and enable multi-factor authentication, even if the device on which the service will be consumed has limited capability. It’s rise in popularity has not gone unnoticed, and a range of new “illicit consent grant” attacks have been observed in the wild, which was described at Identiverse 2022. In response, the OAuth working group is developing new security best practices and the academic community is using formal methods to analyse cross-device protocols for the first time. But what does this mean for practice for identity security practitioners? In this session we will discuss how practitioners can apply zero-trust principles and leverage the work underway in the standards community. The result is a defence in depth strategy that reduces risks and preserve the benefits of cross-device flows.