On 7/3/23 05:08, josh.howlett@xxxxxxxxx wrote:
I understand why MFA, properly done, is beneficial. I just think that OAUTH is a poor solution, and possibly that it does more harm than good, and not only for the reason you cited.I don't disagree. But, for Enterprises moving their services to the cloud, it provides the nearest experience to that offered by on-premise Kerberos or NTLM (by linking OAuth to the organisation's Web SSO), neither of which are appropriate for that use case. OAuth is a terrible solution, but it scrapes the "good enough" criterion (with guardrails, like MFA). And, besides, what else could be done? This is a dismal situation, but I think revisiting RFC 8252 without offering an alternative would be a futile gesture that would do nothing to improve it.
I certainly agree that an alternative is needed.
Keith
