The Role Of Mobile During Authentication

Nearly all the big player social networks now provide a multi-factor authentication option – either an SMS sent code or perhaps key derived one-time password, accessible via a mobile app.  Examples include Google’s Authenticator, Facebook’s options for MFA (including their Code Generator, built into their mobile app) or LinkedIn’s two-step verification.  There are lots more examples, but the main component is using the user’s mobile phone as an out of band authenticator channel.

Phone as a Secondary Device - “Phone-as-a-Token”

The common term for this is “phone-as-a-token”.  Depending on the statistics, basic mobile phones are now so ubiquitous that the ability to leverage at least SMS delivered one one-time-passwords (OTP) for users who do not have either data plans or smart phones is common.  This is an initial step in moving away from the traditional user name and password based login.  However, since the National Institute of Standards and Technology (NIST) released their view that SMS based OTP delivery is deemed insecure, there has been constant innovations around how best to integrate phone-based out of band authentication.  Push notifications are one and local or native biometry is another, often coupled with FIDO (Fast Identity Online) for secure application integration.

EMM and Device Authentication

But using a phone as an out of band authentication device, often overlooks the credibility and assurance of the device itself.  If push based notification apps are used, whilst the security and integrity of those apps can be guaranteed to a certain degree, the device the app is installed upon can not necessarily be attested to the same levels.  What about environments where BYOD (Bring Your Own Device) is used?  What about the potential for either jail broken operating systems or low assurance or worse still malware based apps running parallel to the push authentication app?  Does that impact credibility and assurance?  Could that result in the app being compromised in some way? 

In the internal identity space, Enterprise Mobility Management (EMM) software often comes to the rescue here – perhaps issuing and distributing certs of key pairs to devices in order to perform device validation, before accepting the out band verification step.  This can often be coupled with app assurance checks and OS baseline versioning.  However this is often time-consuming and complex and isn’t always possible in the consumer or digital identity space.

Multi-band to Single-band Login

Whilst you can achieve both a user authentication, device authentication and out of band authentication nirvana, let’s spin forward and simulate a world where the majority of interactions are solely via a mobile device.  So we no longer have an “out of band” authentication vehicle.  The main application login occurs on the mobile.  So what does that really mean?  Well we lose the secondary binding.  But if the initial application authentication leverages the mechanics of the original out of band (aka local biometry, crypto/FIDO integration) is there anything to worry about?  Well the initial device to user binding is still an avenue that requires further investigation.  I guess by removing an out of band process, we are reducing the number of signals or factors.  Also, unless a biometric local authentication process is used, the risk of credential theft increases substantially. 

Leave your phone on the train, with a basic local PIN based authentication that allows access to refresh_tokens or private keys and we’re back to the “keys to the castle” scenario.


User, Device & Contextual Analysis

So we’re back to a situation where we need to augment what is in fact a single factor login journey.

The physical identity is bound to a digital device. How can we have a continuous level of assurance for the user to app interaction?  We need to add additional signals – commonly known as context. 

This “context” could well include environmental data such as geo-location, time, network addressing or more behavioural such as movement or gait analysis or app usage patterns.  The main driver being a movement away from the big bang login event, where assurance is very high, with a long slow tail drop off as time goes by.  This correlates to the adage of short lived sessions or access_tokens – mainly as assurance can not be guaranteed as time from authentication event increases.

This “context” is then used to attempt lots of smaller micro-authentication events – perhaps checking at every use of an access_token or when a session is presented to an access control event.

So once a mobile user has “logged in” to the app, in the background there is a lot more activity looking for changes regarding to context (either environmental or behavioural).   No more out of band, just a lot of micro-steps.

As authentication becomes more transparent or passive, the real effort then moves to physical to digital binding or user proofing...

The Role Of Mobile During Authentication

Nearly all the big player social networks now provide a multi-factor authentication option – either an SMS sent code or perhaps key derived one-time password, accessible via a mobile app.  Examples include Google’s Authenticator, Facebook’s options for MFA (including their Code Generator, built into their mobile app) or LinkedIn’s two-step verification.  There are lots more examples, but the main component is using the user’s mobile phone as an out of band authenticator channel.

Phone as a Secondary Device - “Phone-as-a-Token”

The common term for this is “phone-as-a-token”.  Depending on the statistics, basic mobile phones are now so ubiquitous that the ability to leverage at least SMS delivered one one-time-passwords (OTP) for users who do not have either data plans or smart phones is common.  This is an initial step in moving away from the traditional user name and password based login.  However, since the National Institute of Standards and Technology (NIST) released their view that SMS based OTP delivery is deemed insecure, there has been constant innovations around how best to integrate phone-based out of band authentication.  Push notifications are one and local or native biometry is another, often coupled with FIDO (Fast Identity Online) for secure application integration.

EMM and Device Authentication

But using a phone as an out of band authentication device, often overlooks the credibility and assurance of the device itself.  If push based notification apps are used, whilst the security and integrity of those apps can be guaranteed to a certain degree, the device the app is installed upon can not necessarily be attested to the same levels.  What about environments where BYOD (Bring Your Own Device) is used?  What about the potential for either jail broken operating systems or low assurance or worse still malware based apps running parallel to the push authentication app?  Does that impact credibility and assurance?  Could that result in the app being compromised in some way? 

In the internal identity space, Enterprise Mobility Management (EMM) software often comes to the rescue here – perhaps issuing and distributing certs of key pairs to devices in order to perform device validation, before accepting the out band verification step.  This can often be coupled with app assurance checks and OS baseline versioning.  However this is often time-consuming and complex and isn’t always possible in the consumer or digital identity space.

Multi-band to Single-band Login

Whilst you can achieve both a user authentication, device authentication and out of band authentication nirvana, let’s spin forward and simulate a world where the majority of interactions are solely via a mobile device.  So we no longer have an “out of band” authentication vehicle.  The main application login occurs on the mobile.  So what does that really mean?  Well we lose the secondary binding.  But if the initial application authentication leverages the mechanics of the original out of band (aka local biometry, crypto/FIDO integration) is there anything to worry about?  Well the initial device to user binding is still an avenue that requires further investigation.  I guess by removing an out of band process, we are reducing the number of signals or factors.  Also, unless a biometric local authentication process is used, the risk of credential theft increases substantially. 

Leave your phone on the train, with a basic local PIN based authentication that allows access to refresh_tokens or private keys and we’re back to the “keys to the castle” scenario.


User, Device & Contextual Analysis

So we’re back to a situation where we need to augment what is in fact a single factor login journey.

The physical identity is bound to a digital device. How can we have a continuous level of assurance for the user to app interaction?  We need to add additional signals – commonly known as context. 

This “context” could well include environmental data such as geo-location, time, network addressing or more behavioural such as movement or gait analysis or app usage patterns.  The main driver being a movement away from the big bang login event, where assurance is very high, with a long slow tail drop off as time goes by.  This correlates to the adage of short lived sessions or access_tokens – mainly as assurance can not be guaranteed as time from authentication event increases.

This “context” is then used to attempt lots of smaller micro-authentication events – perhaps checking at every use of an access_token or when a session is presented to an access control event.

So once a mobile user has “logged in” to the app, in the background there is a lot more activity looking for changes regarding to context (either environmental or behavioural).   No more out of band, just a lot of micro-steps.

As authentication becomes more transparent or passive, the real effort then moves to physical to digital binding or user proofing...

Gartner Identity Summit London 2015 – Review

This week saw the Gartner Identity and Access Management Summit come to London town.  The event brings together the great and good from the identity community, with a range of vendors, consultancies and identity customers all looking to analyse the current market place and understand the current challenges as well as hot topics that can be applied in 2015 and beyond.

Hitting the Right Notes

The main keynote from the external speaker, was from the highly talented classical musician Miha Pogacnik.  Miha delivered an inspirational 60 minute talk, translating the components of classical music into the realm of business transformation.  He focused on organisational change and all the various different angles of repetition, aggression, questioning and responding that occur and the new challenges it places on organisations, whilst playing a piece of Bach on his violin!  Fantastic.



Consumers Have Identities Too

From a strategic identity perspective, there were several presentations on the developing need for consumer identity management. Many organisations are embracing digital transformation in both the private and public sector, defining use cases and requirements for things like consumer registration, authentication and multi-factor authentication, all done within a highly scalable yet simple identity management framework.

Traditional identity management platforms, products and delivery approaches, are often focused on small scale, repeatable use cases that focus on employees and workflow and don't require the scale or rapid time to delivery that consumer facing projects need.

Gartner's Lori Robinson went through the journey of differences between customer and employee identity management and how features such as consumer registration, map neatly to core provisioning and synchronization use cases, whilst features such as authentication are being extended to include things like adaptive risk, device finger printing and the use of one time passwords to help improve security when high value consumer transactions take place, such as address changes.

The Identity of Things Headache

Another emerging area that not only Gartner, but many consultants and customers were talking about, was that of applying identity patterns to devices and things.  Whilst there has been the initial hype of consumer focused things - such as fitness trackers, fridge monitors and so on - there is a great and developing need for identity and access patterns to the manufacturing space, utilities, SCADA and energy sectors.  Many devices are low powered and have limited cryptographic processing capabilities, but still require registration and linking use cases to be fulfilled as well as having the data their generate to be protected.

The linking, relationship building and data privacy concerns of the newly emerging internet of things landscape, requires heavy doses of identity and access management medicine to make them sustainable.

Newer emerging standards such as OpenID Connect and User Managed Access were the main focus of the coffee chatter and how they can provide federated authorization capabilities to both people and things based infrastructures.


Overall it was a well attended and thought provoking summit, with both traditional and emerging vendors sponsoring and some great event party antics.  It seems the identity management space is going from strength to strength, even after being around for over 15 years.  The new challenges of devices, consumers, cloud and mobile are helping to drive innovation in both the vendor and delivery space.

By Simon Moffatt



Gartner Identity Summit London 2015 – Review

This week saw the Gartner Identity and Access Management Summit come to London town.  The event brings together the great and good from the identity community, with a range of vendors, consultancies and identity customers all looking to analyse the current market place and understand the current challenges as well as hot topics that can be applied in 2015 and beyond.

Hitting the Right Notes

The main keynote from the external speaker, was from the highly talented classical musician Miha Pogacnik.  Miha delivered an inspirational 60 minute talk, translating the components of classical music into the realm of business transformation.  He focused on organisational change and all the various different angles of repetition, aggression, questioning and responding that occur and the new challenges it places on organisations, whilst playing a piece of Bach on his violin!  Fantastic.



Consumers Have Identities Too

From a strategic identity perspective, there were several presentations on the developing need for consumer identity management. Many organisations are embracing digital transformation in both the private and public sector, defining use cases and requirements for things like consumer registration, authentication and multi-factor authentication, all done within a highly scalable yet simple identity management framework.

Traditional identity management platforms, products and delivery approaches, are often focused on small scale, repeatable use cases that focus on employees and workflow and don't require the scale or rapid time to delivery that consumer facing projects need.

Gartner's Lori Robinson went through the journey of differences between customer and employee identity management and how features such as consumer registration, map neatly to core provisioning and synchronization use cases, whilst features such as authentication are being extended to include things like adaptive risk, device finger printing and the use of one time passwords to help improve security when high value consumer transactions take place, such as address changes.

The Identity of Things Headache

Another emerging area that not only Gartner, but many consultants and customers were talking about, was that of applying identity patterns to devices and things.  Whilst there has been the initial hype of consumer focused things - such as fitness trackers, fridge monitors and so on - there is a great and developing need for identity and access patterns to the manufacturing space, utilities, SCADA and energy sectors.  Many devices are low powered and have limited cryptographic processing capabilities, but still require registration and linking use cases to be fulfilled as well as having the data their generate to be protected.

The linking, relationship building and data privacy concerns of the newly emerging internet of things landscape, requires heavy doses of identity and access management medicine to make them sustainable.

Newer emerging standards such as OpenID Connect and User Managed Access were the main focus of the coffee chatter and how they can provide federated authorization capabilities to both people and things based infrastructures.


Overall it was a well attended and thought provoking summit, with both traditional and emerging vendors sponsoring and some great event party antics.  It seems the identity management space is going from strength to strength, even after being around for over 15 years.  The new challenges of devices, consumers, cloud and mobile are helping to drive innovation in both the vendor and delivery space.

By Simon Moffatt



Top 5 Security Predictions for 2015

January can't go by without another set of prediction blogs coming our way. Be that for lifestyle, how to lose weight, how to gain weight, how to change our lives and so on.  I thought I would join the band wagon and jot down what I think will be the top 5 challenges facing organisations from a security perspective this year.  If I'm being diligent enough, I may even review it come December (only if I'm right of course...).

Customer Identity Management Will Keep CIO's Awake at Night

Many organisations are going through digital transformation processes.  Be that public sector departments wanting to streamline areas such as taxation, driving license management or health care, through to private sector organisations looking to reduce costs or open new market opportunities.

Digital initiatives are everywhere.  Don't believe me? Check out how many CDO (Chief Digital Officers) now exist on LinkedIn - over 3000 in the UK alone.  These new approaches to product and service delivery, require a strong hold on the identity and access management requirements of customers.  Customer registration, authentication, two-factor authentication and device finger printing, are just a few of the topics hitting the to do list of many CISO's and CIO's - all services that suddenly need rolling out to potentially millions of end users.  Big scale and big headaches will result, if a modular and scalable identity platform isn't available.


Water Cooler Chat Will Be All About Device Security and Internet of Things Madness

By now, everyone has an automated toilet, with a mood influenced flush, that instantly publishes the meta data to Twitter right?  Perhaps not, but there is no doubting, that the Internet of Things landscape is maturing rapidly and the identity of things (shameless blog plug) is going to be a huge area for device manufacturers, services providers and end users.

IoT systems and devices, have all been about communications and interoperability so far.  Adding communications services to low power and low capacity devices brings new opportunities for things like home automation, smart cities, smart cars and more.  However, as these devices collect, store and distribute data to brokers and cloud services, data privacy becomes a huge concern, especially if the data contains production plant statistics or personal health information.  The devices, and the ecosystem that supports the delivery of those devices, will need to be coated in a meta layer of security, from registration and authentication services, through to lightweight encryption and signing technology.


Passwords on the Mobile Will Disappear (Ok not entirely..)

Passwords are dead. Long live the passwords.  I think this topic has been the most written about in blog history.  Ever.  Ok, perhaps not quite ever, but the number of column inches dedicated to the next big thing in password-less authentication / how passwords can't die / how passwords will die is quite remarkable.  One thing for sure, is that the number of users accessing web content and apps via mobile devices (be that phones or tablets) is continuing to rise and outstrip the need for desktops significantly.  What that does of course, is increase the desire for less reliance on password based authentication on mobile tech.  It's simply too inconvenient and too insecure.  As mobile devices build out easier to use secure elements, the storage of crypto materials, session tokens, refresh tokens and other authentication data, will allow for the proliferation of protocols such as OAuth2 or crypto related authentication schemes, to take precedence over the traditional username and password approach.


Employees Will Want Access to More Cloud Services

Many organisations are at a cross roads when it comes to cloud services.  Many want to embrace new, as-a-service based components such as HR, payroll, collaboration and office automation systems.  They are often very simple to register and pay for, simple to set up and allow the organisation to concentrate on their key competency areas.  This does however, bring strong challenges with regards to employee provisioning and single sign on to external services.  Employees do not want to have to remember new and different usernames and passwords to access Google Apps, Salesforce or HR Factors.  Single sign on is mandatory for user convenience, as is the ability to create and remove users in a streamlined and automated fashion, using provisioning systems deeply integrated to HR rules and business logic.  These new requirements can put strain on already buckling legacy provisioning and access management systems, that were often conceived and implemented long before the 'cloud' was cool.


Consumers Will Want More Control and Transparency Over Their Data

This last one is interesting.  I don't think this is suddenly a new requirement or concern for 2015. I think it has always been the case, that consumers are very keen to keep their on line identity secure, their banking details safe and their national insurance or social security number locked up.  However, as more and more devices require and process our personal data, end users are becoming more enlightened with regards to how their data is used and stored.

The Internet of Things takes this to a new level, with many more services, apps and devices wanting to consume, process and potentially redistribute personal data.  End users want to have a clear, simple and transparent method of not only sharing data, but also having the ability to revoke previously granted access to personal data.  We are probably some way off this being a reality, but protocols such as OAuth2 and User Managed Access can go some way to help fulfil these newer requirements.

By Simon Moffatt



Top 5 Security Predictions for 2015

January can't go by without another set of prediction blogs coming our way. Be that for lifestyle, how to lose weight, how to gain weight, how to change our lives and so on.  I thought I would join the band wagon and jot down what I think will be the top 5 challenges facing organisations from a security perspective this year.  If I'm being diligent enough, I may even review it come December (only if I'm right of course...).

Customer Identity Management Will Keep CIO's Awake at Night

Many organisations are going through digital transformation processes.  Be that public sector departments wanting to streamline areas such as taxation, driving license management or health care, through to private sector organisations looking to reduce costs or open new market opportunities.

Digital initiatives are everywhere.  Don't believe me? Check out how many CDO (Chief Digital Officers) now exist on LinkedIn - over 3000 in the UK alone.  These new approaches to product and service delivery, require a strong hold on the identity and access management requirements of customers.  Customer registration, authentication, two-factor authentication and device finger printing, are just a few of the topics hitting the to do list of many CISO's and CIO's - all services that suddenly need rolling out to potentially millions of end users.  Big scale and big headaches will result, if a modular and scalable identity platform isn't available.


Water Cooler Chat Will Be All About Device Security and Internet of Things Madness

By now, everyone has an automated toilet, with a mood influenced flush, that instantly publishes the meta data to Twitter right?  Perhaps not, but there is no doubting, that the Internet of Things landscape is maturing rapidly and the identity of things (shameless blog plug) is going to be a huge area for device manufacturers, services providers and end users.

IoT systems and devices, have all been about communications and interoperability so far.  Adding communications services to low power and low capacity devices brings new opportunities for things like home automation, smart cities, smart cars and more.  However, as these devices collect, store and distribute data to brokers and cloud services, data privacy becomes a huge concern, especially if the data contains production plant statistics or personal health information.  The devices, and the ecosystem that supports the delivery of those devices, will need to be coated in a meta layer of security, from registration and authentication services, through to lightweight encryption and signing technology.


Passwords on the Mobile Will Disappear (Ok not entirely..)

Passwords are dead. Long live the passwords.  I think this topic has been the most written about in blog history.  Ever.  Ok, perhaps not quite ever, but the number of column inches dedicated to the next big thing in password-less authentication / how passwords can't die / how passwords will die is quite remarkable.  One thing for sure, is that the number of users accessing web content and apps via mobile devices (be that phones or tablets) is continuing to rise and outstrip the need for desktops significantly.  What that does of course, is increase the desire for less reliance on password based authentication on mobile tech.  It's simply too inconvenient and too insecure.  As mobile devices build out easier to use secure elements, the storage of crypto materials, session tokens, refresh tokens and other authentication data, will allow for the proliferation of protocols such as OAuth2 or crypto related authentication schemes, to take precedence over the traditional username and password approach.


Employees Will Want Access to More Cloud Services

Many organisations are at a cross roads when it comes to cloud services.  Many want to embrace new, as-a-service based components such as HR, payroll, collaboration and office automation systems.  They are often very simple to register and pay for, simple to set up and allow the organisation to concentrate on their key competency areas.  This does however, bring strong challenges with regards to employee provisioning and single sign on to external services.  Employees do not want to have to remember new and different usernames and passwords to access Google Apps, Salesforce or HR Factors.  Single sign on is mandatory for user convenience, as is the ability to create and remove users in a streamlined and automated fashion, using provisioning systems deeply integrated to HR rules and business logic.  These new requirements can put strain on already buckling legacy provisioning and access management systems, that were often conceived and implemented long before the 'cloud' was cool.


Consumers Will Want More Control and Transparency Over Their Data

This last one is interesting.  I don't think this is suddenly a new requirement or concern for 2015. I think it has always been the case, that consumers are very keen to keep their on line identity secure, their banking details safe and their national insurance or social security number locked up.  However, as more and more devices require and process our personal data, end users are becoming more enlightened with regards to how their data is used and stored.

The Internet of Things takes this to a new level, with many more services, apps and devices wanting to consume, process and potentially redistribute personal data.  End users want to have a clear, simple and transparent method of not only sharing data, but also having the ability to revoke previously granted access to personal data.  We are probably some way off this being a reality, but protocols such as OAuth2 and User Managed Access can go some way to help fulfil these newer requirements.

By Simon Moffatt



OpenDJ Contact Manager for Android

With OpenDJ 2.6.0, we’ve introduced a new way to access your directory data, using HTTP, REST and JSon. The REST to LDAP service, available either embedded in the OpenDJ server or as a standalone web application, is designed to facilitate the work of application developers. And to demonstrate the interest and the ease of use of that service, we’ve built a sample application for Android : the OpenDJ Contact Manager

OpenDJ Contact Manager Android AppAbout screen of the OpenDJ Contact Manager Android App

The OpenDJ Contact Manager is an open source Android application that was built by Violette, one of the ForgeRock engineer working in the OpenDJ team. You can get the source code from the SVN repository : https://svn.forgerock.org/commons/mobile/contact-manager/trunk. Mark wrote some quite complete documentation for the project, with details on how to get and build the application. He published it at http://commons.forgerock.org/mobile/contact-manager/.

The whole application is just about 4000 lines of code, and most of it is dealing with the display itself. But you can find code that deals with asynchronous calls to the OpenDJ rest interface, with paging through results, and parsing the resulting JSON stream to populate the Contacts, including photos. Et voila :

OpenDJ Contact Manager displaying a Contact

The application is just a sample but it clearly is usable in its current form and will allow once a contact was retrieved from the OpenDJ directory, to add it to the Contacts standard application, call the person, locate its address on maps, send the person an email, navigate through the management chain…

In future versions, we are planning to add support for OAuth 2.0, removing the need to store credentials in the application settings.

As it’s open source, feel free to play with it, hack and contribute back your changes.


Filed under: Directory Services Tagged: Android, directory-server, ForgeRock, identity, java, Json, ldap, Mobile, opendj, opensource, REST

OAuth2 – The Passwordless World of Mobile

Keeping in vogue with the fashion of killing off certain standards, technology or trends, I think it's an easy one to say, that the life of the desktop PC (and maybe even the laptop...) is coming to an end.
Smartphone sales are in the hundreds of millions per quarter and each iteration of both the iOS and Android operating system brag of richer user experiences and more sophisticated storage and app integration.  The omnipresent nature of these powerful mini-computers, has many profound benefits, uses and user benefits.



Mobile Weakness + Password Weakness = Nightmare!

With anything in the information world that is popular, comes with it security weaknesses and vulnerabilities.  The popularity aspect is a big trigger for the generation of malware and criminal intent.  As a malware developer, you would want the reward ration to be as high as possible, which means developing exploits for devices and operating systems that are the most popular.  Some key aspects of all mobile devices however result in general security weakness.  Firstly, they're small, meaning they can be easily lost or stolen.  That weakness is pretty difficult to overcome.  Unfortunately as mobiles now hold significant personal and professional information, emails, attachments, cached passwords and so on, a physical loss can have significant impact.  Most mobile devices carry no real form of anti-virus or anti-malware software, albeit this is improving.

Passwords as we know, are now not regarded as a secure means to protect websites and applications.  End users don't tend to select complex passwords (if they do they are written down...) and the transport and storage of such passwords (lack of encrypted channels, passwords not hashed in storage) all contribute to more instances of password leaks and compromise.

Password use on mobile phones, then introduces a mixture of potential vulnerabilities.  Mobile users want to access protected applications, social networking sites and web sites, all with email address and password based authentication.

Mobile keyboards are small, so many will simply enter the credentials once and cache them, leaving them vulnerable to reuse and capture if the device is lost or the operating system compromised.


Introduce OAuth2

OAuth2 (not to be confused with OAuth or OATH...) is making great strides in being the defacto standard authorization protocol, for web applications and modern federated services.  OAuth2 provides a neat access and refresh token approach to giving access to sites and services, which can reduce the burden of using static username and password based authentication and authorisation.  At a high level, OAuth2, can issue both an access token and refresh token, along with what is known as a scope.

The access token does what it says, and generally has a small lifespan - perhaps only a few minutes. The refresh token on the other hand, may have a longer lifespan and can be exchanged for a new access token in the future, without the need to re-enter usernames or passwords.  The benefit being, that the OAuth2 authorization server, can revoke the refresh token if the device that holds it, is compromised or lost. A significant improvement on having to reset passwords if a mobile is lost and contains cached passwords.  The scope aspect is simply a list of permission attributes that the authorisation server attaches to the associated access token before releasing to the requesting resource.

OAuth2 provides several different mechanisms for releasing tokens (called grants) which I wont go into here, but ultimately there is less reliance on the repeated entry of usernames and passwords.  The use of tokens removes the need for the caching of such credentials and also does not require credential exchange between the authorisation service and the protected resource.

By being able to remotely revoke an access or refresh token, gives the identity owner much more control in the event that a physical device is lost, stolen or compromised.

In addition, as passwords would be required less, more complex passwords can be used (created using generators) in order to provide a little more protection.

By Simon Moffatt