[Openid-specs-fapi] Issue #127: CIBA: security issues (openid/fapi)
issues-reply at bitbucket.org
Sat Nov 18 17:16:37 UTC 2017
New issue 127: CIBA: security issues
I believe that the security level of CIBA is not well understood and would add the following text.
A client initiated backchannel is not difficult to intercept by a hacker, see https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/. So the only additional security is that the user at one time had control of the account identifier (such as phone number) that was recorded by the client from the user. It does not provide the proof of possession of the client device that is addressed by that account identifier and so does not add an authentication of "something the user has" without additional proof of possession information.
More information about the Openid-specs-fapi