On 7/3/23 2:08 AM, josh.howlett@xxxxxxxxx wrote:
In other words, insistence on OAUTH authentication invalidates
several decades' worth of common and useful practice, for a very
dubious benefit that has been imposed on huge communities of users.
I'm *not* defending the practice, but there is a benefit in terms of inserting
MFA challenge/response into the workflow. It is increasingly common for
organisations (thanks to their auditors/insurers) to require MFA whenever the
user's primary credentials are being used. So, while it is true that a native app
can trivially steal the user's credentials, it is subsequently hard to misuse them
*if* MFA is always required by policy (the direction of travel for every
organisation that I work with). It acts as a failsafe because the user's account
ends up locked, rather than compromised, if someone tries to misuse the
credentials repeatedly. It is ugly but there is a logic to it.
I understand why MFA, properly done, is beneficial. I just think that OAUTH is
a poor solution, and possibly that it does more harm than good, and not only
for the reason you cited.
I don't disagree. But, for Enterprises moving their services to the cloud, it provides the nearest experience to that offered by on-premise Kerberos or NTLM (by linking OAuth to the organisation's Web SSO), neither of which are appropriate for that use case.
OAuth is a terrible solution, but it scrapes the "good enough" criterion (with guardrails, like MFA). And, besides, what else could be done? This is a dismal situation, but I think revisiting RFC 8252 without offering an alternative would be a futile gesture that would do nothing to improve it.
The thing about Kerberos is that there is an assumption that the service
is trusted, generally speaking. You can certainly have a situation
deploying OAUTH where you can make that assumption but the general case
with untrusted apps in a worldwide app store is a terrible one. Compound
this with Apple's security theater for their app store and you have a
situation that is ripe to be exploited. Bad guys typically go for the
low hanging fruit first, so I guess this isn't low hanging enough. Or
maybe it's going on and I just don't know about it.
Mike
