This isn’t new, but it’s increasingly popular: > The technique is known as device code phishing. It exploits “device code > flow,” a form of authentication formalized in the industry-wide OAuth > standard. Authentication through device code flow is designed for logging > printers, smart TVs, and similar devices into accounts. These devices > typically don’t support browsers, making it difficult to sign in using more > standard forms of authentication, such as entering user names, passwords, and > two-factor mechanisms. > > Rather than authenticating the user directly, the input-constrained device > displays an alphabetic or alphanumeric device code along with a link > associated with the user account. The user opens the link on a computer or > other device that’s easier to sign in with and enters the code. The remote > server then sends a token to the input-constrained device that logs it into > the account...