|
|
|
@ -1447,7 +1447,17 @@ will soon be verified.
|
|
|
|
|
|
|
|
|
|
## Security considerations
|
|
|
|
|
|
|
|
|
|
See individual threat analysis sections above.
|
|
|
|
|
This proposed mechanism has been designed to protects users and their devices from the following threats:
|
|
|
|
|
|
|
|
|
|
- A malicious actor who is able to scan the QR code generated by the legitimate user.
|
|
|
|
|
- A malicious actor who can intercept and modify traffic on the application layer, even if protected by encryption like TLS.
|
|
|
|
|
- Both of the above at the same time.
|
|
|
|
|
|
|
|
|
|
Additionally, the OIDC Provider is able to define and enforce policies that can prevent a sign in on a new device.
|
|
|
|
|
Such policies depend on the OIDC Provider in use and could include, but are not limited to, time of day, day of the week,
|
|
|
|
|
source IP address and geolocation.
|
|
|
|
|
|
|
|
|
|
A threat analysis has been done within each of the key layers in the proposal above.
|
|
|
|
|
|
|
|
|
|
## Unstable prefix
|
|
|
|
|
|
|
|
|
|