> >> In other words, insistence on OAUTH authentication invalidates > >> several decades' worth of common and useful practice, for a very > >> dubious benefit that has been imposed on huge communities of users. > > I'm *not* defending the practice, but there is a benefit in terms of inserting > MFA challenge/response into the workflow. It is increasingly common for > organisations (thanks to their auditors/insurers) to require MFA whenever the > user's primary credentials are being used. So, while it is true that a native app > can trivially steal the user's credentials, it is subsequently hard to misuse them > *if* MFA is always required by policy (the direction of travel for every > organisation that I work with). It acts as a failsafe because the user's account > ends up locked, rather than compromised, if someone tries to misuse the > credentials repeatedly. It is ugly but there is a logic to it. > > I understand why MFA, properly done, is beneficial. I just think that OAUTH is > a poor solution, and possibly that it does more harm than good, and not only > for the reason you cited. I don't disagree. But, for Enterprises moving their services to the cloud, it provides the nearest experience to that offered by on-premise Kerberos or NTLM (by linking OAuth to the organisation's Web SSO), neither of which are appropriate for that use case. OAuth is a terrible solution, but it scrapes the "good enough" criterion (with guardrails, like MFA). And, besides, what else could be done? This is a dismal situation, but I think revisiting RFC 8252 without offering an alternative would be a futile gesture that would do nothing to improve it.
