Newsletter, Cybersecurity, Blog

Smart TV Login Features Being Exploited to Bypass MFA 

By: E.J. Yerzak 

If you use a long, complex password – as you should – you’ve probably experienced the frustration of entering it on a smart TV or similar device using a remote control. It can feel like texting on early mobile phones, where typing a single letter required multiple button presses. To solve this usability problem, many platforms introduced a more convenient login method for “input-constrained devices” like smart TVs. Instead of typing credentials directly on the device, users are prompted to authenticate on a separate device, such as a smartphone or laptop, through a link and short code. 

This process is powered by a protocol called OAuth 2.0 Device Code Flow. 

In simple terms, once you successfully log in on your secondary device, the original device receives an access token – a secure digital credential that confirms you’ve been authenticated. This allows the smart TV (or similar device) to access your account without requiring you to manually enter your full credentials on that original device. 

While this feature improves user experience, it also introduces new security risks. 

How Device Code Phishing Bypasses MFA 

Security often requires balancing convenience and control. As with many technologies designed to make life easier, attackers have found ways to exploit this feature through a technique known as device code phishing. Unlike traditional attacks that attempt to steal passwords directly, this method tricks users into unknowingly authorizing an attacker’s session. 

The attack typically follows the following steps: 

  1. Initiation by the attacker – The attacker begins a legitimate login request using a service such as Microsoft 365, selecting the option to sign in via another device. 
  1. Code generation – The service generates a temporary authentication code tied to that login request. 
  1. Phishing message sent to the user – The attacker sends the code to a targeted user, often via text message or email, along with instructions to visit a legitimate login page and enter the code. 
  1. User completes authentication – The user follows the instructions, enters the code, and proceeds to log in with their username, password, and multi-factor authentication (MFA). 

At this point, everything appears legitimate from the user’s perspective. However, the user’s authentication is granted to the attacker’s session. As a result, the attacker gains access without ever needing to steal the user’s credentials. 

Once inside, the attacker can establish persistence and remain inside. The attacker can register new devices or maintain session access, reducing the likelihood of immediate detection. 

Why This Matters to Financial Firms 

This new technique is particularly concerning because it effectively circumvents MFA protections. The user is not bypassing MFA. Rather, the user is completing the MFA step on behalf of the attacker. It’s analogous to unlocking your front door for a stranger and then holding the door open for them. They don’t need your key. You’ve given them a way in without it.  

For organizations, this represents a shift in threat dynamics. The risk is no longer just credential theft, but user-driven authorization of malicious access. 

How to Protect Your Organization 

At Salus GRC, we evaluate this risk as part of our cloud security assessments for cybersecurity clients. In the meantime, organizations can take several practical steps to reduce exposure: 

  1. Restrict Device Code Flow where unnecessary – Disable or limit this authentication method for users or applications that do not require it. 
  1. Strengthen conditional access policies -Implement controls based on device trust, location, and risk signals to reduce the likelihood of unauthorized session approval. 
  1. Enhance user awareness training – Educate employees on emerging phishing techniques, particularly those involving authentication codes or unexpected login requests. 
  1. Monitor for anomalous session activity -Look for unusual sign-ins, new device registrations, or session behaviors that may indicate unauthorized access. 

As authentication technologies evolve to improve usability, attackers will continue to adapt. Device Code Flow can be a valuable tool. But like many convenience-driven features, it must be carefully managed. 

Organizations that combine strong technical controls with informed users will be best positioned to defend against this emerging threat.