[Openid-specs-fapi] Issue #127: CIBA: security issues (openid/fapi)

Anders Rundgren anders.rundgren.net at gmail.com
Sat Nov 18 18:14:56 UTC 2017

On 2017-11-18 18:16, tomcjones via Openid-specs-fapi wrote:
> New issue 127: CIBA: security issues
> https://bitbucket.org/openid/fapi/issues/127/ciba-security-issues
> tomcjones:
> I believe that the security level of CIBA is not well understood and would add the following text.
> A client initiated backchannel is not difficult to intercept by a hacker, see https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/. So the only additional security is that the user at one time had control of the account identifier (such as phone number) that was recorded by the client from the user. It does not provide the proof of possession of the client device that is addressed by that account identifier and so does not add an authentication of "something the user has" without additional proof of possession information.

I don't know anything about CIBA but if we are talking about an external device used for OOB authentication to a Web application, I can verify that this scheme is susceptible to phishing attacks since some 6 millions Swedes use such a solution and several incidents have been reported.  In fact, warnings have been sent out in mainstream media.

FWIW, I have tried to interest platform vendors like Intel in this matter but they claim that I'm the only one concerned about this problem.  Yeah, it can be fully addressed at the platform level unless the CIBA folks have come up with some kind of "secret sauce" that I'm unaware of.


More information about the Openid-specs-fapi mailing list