oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
52 stars 27 forks source link

7.12 Phishing Attacks: Clarification and additional advice to the reader #188

Open sakimura opened 1 month ago

sakimura commented 1 month ago

Paragraph 1: it is not only the resource owners' password that can be phished. OTP etc. can be phished as well. Proposes to change: "steal resource owners' passwords" to "steal resource owners' passwords and other credentials that are not phishing-resistant".

Also, as the paragraph 2 advises, user education is important, but its effectiveness is somewhat limited. It is better to advise authorization servers to deploy Phishing-resistant authentication mechanisms. Therefore, I propose to add a new paragraph 2 such as:

Service providers SHOULD implement phishing-resistant authenticator support.

A question. There are two instances of "should" in the current paragraph 2. Are they intended or they actually are "SHOULD"?