The IESG has approved the following document: - 'Cross-Device Flows: Security Best Current Practice' (draft-ietf-oauth-cross-device-security-15.txt) as Best Current Practice
This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Paul Wouters and Deb Cooley. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ Technical Summary This document describes threats against cross-device flows along with practical mitigations, protocol selection guidance, and a summary of formal analysis results identified as relevant to the security of cross-device flows. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. Working Group Summary There was no controversy in the working group. The authors asked the OpenID Foundation FAPI working group to review of this document. These reviews have happened and the feedback was incorporated into the document. Document Quality Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type, or other Expert Review, what was its course (briefly)? In the case of a Media Type Review, on what date was the request posted? Several companies have implemented different mitigations described in the draft. Examples include: - Okta - SPIRL - AWS - Microsoft - FusionAuth Additionally, the proximity check outlined in the draft is what the W3C Digital Credentials API <https://www.w3.org/TR/digital-credentials/> is doing to secure cross-device flows. There are no special reviews. No IANA requests including media type registration requests. Personnel The Document Shepherd for this document is Hannes Tschofenig. The Responsible Area Director is Deb Cooley. _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
