The Device Authorization Grant (Device Code Flow) is a practical solution for secure user authentication on devices without keyboards, such as smart TVs and IoT devices. It offloads the authentication process to a secondary device by sending a verification code to the user's phone or laptop, which they then enter, allowing the primary device to act on behalf of the user. The flow includes several key security features, such as short-lived codes, rate-limited polling, explicit user consent, and phishing resistance. However, it also has vulnerabilities that can be exploited by malicious actors, particularly in cases where users are tricked into entering maliciously generated user codes. To defend against these attacks, developers must educate users, restrict device code usage to high-trust applications, use conditional access and anomaly detection, monitor token usage patterns, and never assume implicit safety just because users land on a trusted domain.