On 6/30/23 05:50, josh.howlett@xxxxxxxxx wrote:
In other words, insistence on OAUTH authentication invalidates several decades' worth of
common and useful practice, for a very
dubious benefit that has been imposed on huge communities of users.
I'm *not* defending the practice, but there is a benefit in terms of inserting MFA challenge/response into the workflow. It is increasingly common for organisations (thanks to their auditors/insurers) to require MFA whenever the user's primary credentials are being used. So, while it is true that a native app can trivially steal the user's credentials, it is subsequently hard to misuse them *if* MFA is always required by policy (the direction of travel for every organisation that I work with). It acts as a failsafe because the user's account ends up locked, rather than compromised, if someone tries to misuse the credentials repeatedly. It is ugly but there is a logic to it.
I understand why MFA, properly done, is beneficial. I just think that
OAUTH is a poor solution, and possibly that it does more harm than good,
and not only for the reason you cited.
(And of course, a clever attacker will try to collect all authentication
credentials needed before trying to exploit any of them.)
Keith
