On 6/30/23 4:12 AM, Keith Moore wrote:
On 6/30/23 05:50, josh.howlett@xxxxxxxxx wrote:
In other words, insistence on OAUTH authentication invalidates
several decades' worth of
common and useful practice, for a very
dubious benefit that has been imposed on huge communities of users.
I'm *not* defending the practice, but there is a benefit in terms of
inserting MFA challenge/response into the workflow. It is
increasingly common for organisations (thanks to their
auditors/insurers) to require MFA whenever the user's primary
credentials are being used. So, while it is true that a native app
can trivially steal the user's credentials, it is subsequently hard
to misuse them *if* MFA is always required by policy (the direction
of travel for every organisation that I work with). It acts as a
failsafe because the user's account ends up locked, rather than
compromised, if someone tries to misuse the credentials repeatedly.
It is ugly but there is a logic to it.
I understand why MFA, properly done, is beneficial. I just think
that OAUTH is a poor solution, and possibly that it does more harm
than good, and not only for the reason you cited.
(And of course, a clever attacker will try to collect all
authentication credentials needed before trying to exploit any of them.)
Of course if you're using Google to login and can steal the password,
that means that it's pretty easy to get the challenge if it's sent as email.
Mike
