User Code Brute Forcing
Since the user code is hand-entered by the user into an interface that does not yet know about the device being authorized, precautions should be taken to avoid the possibility of a brute force attack against the user code.
Typically a short code with much less entropy than used by authorization codes is used in order to be easily entered by hand. Because of this, it is recommended that the authorization server rate-limit the endpoint used to verify user codes.
The rate limit should be based on the entropy of the user code in order to make a brute force attack infeasible. For example, with 8 characters out of the 20-character set described above, that provides approximately 34 bits of entropy. log2(208) = 34.57
You can use this formula to calculate the bits of entropy when choosing an acceptable rate limit.
Remote Phishing
It is possible for the device flow to be initiated on a device in the attacker’s possession, in order to trick the user into authorizing the attacker’s device. For example, the attacker might send an SMS instructing the user to visit a URL and enter the user code.
To mitigate this risk, it is recommended that the authorization interface make it very clear to the user that they are authorizing a physical device to access their account, in addition to the standard information included in the authorization interface described in User Interface.