Re: FIDO vs. OAuth2

This comparison if flawed since FIDO and OAuth target different applications.
OAuth is (for example) a core of recently published Open Banking APIs where
OAuth tokens hold users' consent to an external party's ("fintech") accessing
to their bank accounts.

Shared application secrets seem like a very bad idea.  What kind of applications
use such?

Anders

On 2017-10-21 18:05, Timothy Holborn wrote:
> 
>       2.3 Comparison to OAuth and OAuth2
> 
> /"The OAuth and OAuth2 of protocols were designed for a server-to-server security model with the assumption that each application instance can be issued, and keep, an "application secret". This approach is ill-suited to the "app store" security model. Although it is common for services to provision an OAuth-style application secret into their apps in an attempt to allow only authorized/official apps to connect, any such "secret" is in fact shared among everyone with access to the app store and can be trivially recovered thorough basic reverse engineering./
> 
> /In contrast, FIDO's facet concept is designed for the "app store" model from the start. It relies on client-side platform isolation features to make sure that a key registered by a user with a member of a well-behaved "trusted club" stays within that trusted club, even if the user later installs a malicious app, and does not require any secrets hard-coded into a shared package to do so. The user must, however, still make good decisions about which apps and browsers they are willing to preform a registration ceremony with. App store policing can assist here by removing applications which solicit users to register FIDO keys to for Relying Parties in order to make illegitmate or fraudulent use of them."/
> 
> source / specs: https://fidoalliance.org/specs/fido-uaf-v1.1-rd-20161005/fido-appid-and-facets-v1.1-rd-20161005.html
> I enjoyed the language ;)
> Tim.H.

Received on Sunday, 22 October 2017 09:48:12 UTC