Merge pull request #79 from oauth-wg/PieterKas-patch-25

PieterKas · web-flow · commit 3efb187fb0ff · 2023-07-10T10:08:40.000+01:00
Added distinction between "proximity enforced and proximity-less" (see issue #45 )
diff --git a/draft-ietf-oauth-cross-device-security.md b/draft-ietf-oauth-cross-device-security.md
@@ -477,7 +477,7 @@ A number of protocols that enable cross-device flows that are susceptible to Cro
 It is recommended that one or more of the mitigations are applied whenever implementing a cross-device flow. Every mitigation provides an additional layer of security that makes it harder to initiate the attack, disrupts attacks in progress or reduces the impact of a successful attack.
 
 ### Establish Proximity
-The unauthenticated channel between the Initiating Device and Authorization Device allows attackers to obtain a QR code or user code in one location and display in another location. Establishing proximity between the location of the Initiating Device and the Authorization Device limits an attacker's ability to launch attacks by sending the user or QR codes to large numbers of users across the globe. There are a couple of ways to establish proximity:
+The unauthenticated channel between the Initiating Device and Authorization Device allows attackers to obtain a QR code or user code in one location and display it in another location. Consequently, proximity-enforced cross-device flows are more resistant to Cross-Device Consent Phishing attacks than proximity-less cross-device flows. Establishing proximity between the location of the Initiating Device and the Authorization Device limits an attacker's ability to launch attacks by sending the user or QR codes to large numbers of users that are geographically distributed. There are a couple of ways to establish proximity:
 
 - Physical connectivity: This is a good indicator of proximity, but requires specific ports, cables and hardware and may be challenging from a user experience perspective or may not be possible in certain settings (e.g., when USB ports are blocked or removed for security purposes). Physical connectivity may be better suited to dedicated hardware like FIDO devices that can be used with protocols that are resistant to the exploits described in this document.
 
@@ -681,7 +681,8 @@ The authors would like to thank Tim Cappalli, Nick Ludwig, Adrian Frei, Nikhil R
    * Adopted consistent use of hyphenation in using "cross-device"
    * Consistent use of "Authorization Device"
    * Update Reference to Secure Signals Framework to reflect name change from Secure Signals and Events
-
+   * Described difference between proximity enforced and proximity-less cross-device flows
+   * General editorial pass
 
    -01
 
