The Device Authorization Grant is an OAuth 2.0 login flow designed for devices that cannot easily use a keyboard, full browser, or direct text input, such as TVs, kiosks, and some smart devices. The device shows a short code and a verification URL, and the user completes sign-in on a second device. After approval, the device receives tokens without ever handling the user’s password.
This flow matters in cyber security because it is a legitimate authentication method that attackers can abuse. In device code phishing, criminals trick a user into entering the code on a real sign-in page, which can authorize the attacker’s session instead of the intended device. Defenders reduce risk by limiting where the flow is allowed, watching sign-in logs for unusual device-code activity, using Conditional Access, and preferring phishing-resistant authentication where possible. If a suspicious approval occurs, session revocation can cut off the attacker’s access.