Device flow and Okta: Shared device authentication for consumers
Authentication with shared devices comes with a unique set of challenges. Some scenarios are specific to an organization's workforce whereas some use cases are consumer specific. In this article, I will focus on the consumer scenarios, and explore the challenges and possible options to address shared device authentication securely.
Challenges with shared device authentication
Many organizations and services employ kiosks and shared devices to improve customer experience, operational efficiency through self-service, and scalability with consumer growth. Some notable examples are kiosks deployed in retail point-of-sale (POS) systems, entertainment and event centers, hotels, airports, libraries, and medical clinics.
In the consumer scenario, the main challenges are:
- The user needs to provide their authentication credentials on a public device. This increases the risk of credential exposure and can hurt consumer adoption.
- The user session can remain active after she moves away from the system without explicitly signing out, leading to the risk of session takeover.
- Enforcing phishing-resistant biometric authentication, such as passkeys, is not feasible.
Applications often handle shared device authentication in a rather proprietary manner, such as using RFID readers, official documents, or payment card scanners. Also, many systems prompt for traditional user ID and password authentication, such as computers in a library.
Decoupled authentication with the shared device
A better way could be to decouple authentication from the application running on the shared device. If the authentication can be carried out using a trusted device, often a smartphone or tablet in possession of the user, some of the challenges can be addressed seamlessly. Examples of those challenges include:
- The user never needs to provide credentials or identifying information to the application running on the shared devices.
- Phishing-proof biometric authentication can be easily used since the user authenticates from a personal device.
Let's look at a promising decoupled authentication standard: OAuth 2.0 Device Authorization Grant
Introducing device authorization flow
Device authorization flow was originally conceived to provide decoupled authentication to input-constraint devices such as smart TVs. Often, such devices do not come with a general-purpose browser to allow a user to authenticate using a secure federated flow, or make it cumbersome to input their credentials. The device authorization framework provides a way to allow a consumer to use their personal device (laptop, mobile, or tablet) to perform authentication instead.
Making a case for device authorization flow
Device authorization flow provides an elegant solution in the shared device authentication scenario. The idea is as follows:
- The application creates a randomized login URL and a user code. It can also embed the URL and the user code in a QR code. The application then displays the information to the user.
- The user can scan the QR code or manually type the login link on their device browser.
- They would then complete the authentication flow on their device by supplying their credentials. For sensitive applications, the authentication process can include phishing-resistant factors such as passkeys.
- Finally, they enter the user code.
- Once the authorization process is complete, the shared device application will continue with the authentication token received.
The user never needs to provide any authentication information on the shared device. Instead of consenting to an authorization challenge (like with CIBA), she performs the end-to-end authentication on the trusted device.
The device authorization flow was originally designed for input-constrained devices such as TVs or command-line interfaces (CLI). However, in shared devices, the user credentials are not safe, which makes the flow an ideal candidate for shared device authentication.
Here’s how the OAuth 2.0 device authorization flow works:
Session management and logout
Even if the device authorization flow is suitable for front-line authentication in shared devices, the application or the system still needs to manage the sessions and tokens.
The tokens should have a low expiry time and never be stored in persistent storage, unlike those in TVs or smart devices, where long-lived tokens are typically warranted.
The application should also reset the session and clear the access token and device code immediately after the browser or application is closed.
The application or device must track user inactivity and time out within a short threshold. Upon timeout, it should promptly reset the user session and clear tokens.
Fallback option
What if the user is not carrying a personal device suitable for authentication? The application should also have a suitable fallback login option, such as SMS or email, and OTP-based passwordless authentication. For completeness, the application can also allow traditional password-based login, albeit with caution and instructive messages displayed to the user.
Okta supports device authorization flow
Okta continues to lead the Identity and Access Management space by providing support for the Device Authorization Grant Flow, an OAuth 2.0 specification (RFC 8628).
Together with Okta’s ability to support various other password and passwordless authentication methods, you can easily implement a reliable authentication system for applications running on a shared device. Device authorization flow helps enhance user experience and significantly improves security by decoupling authentication from the shared device itself. By offering a streamlined integration process via APIs and SDKs, Okta makes it easy to take advantage of this modern protocol. As businesses increasingly rely on unattended devices for customer interactions, Okta’s pioneering approach ensures a frictionless and secure authentication experience for consumers.
Device authorization flow, although originally conceived to address authentication for input-constrained devices, is an excellent tool for handling consumer authentication from shared devices. Okta makes it easy to implement shared device authentication securely with out-of-the-box support for device authorization flow.
Additional reading
What is Device authorization flow
OAuth 2.0 Device Authorization Grant Specification
