[keycloak-dev] credential management

Stian Thorgersen stian at redhat.com
Tue Aug 13 08:42:33 EDT 2013



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 13 August, 2013 1:12:52 PM
> Subject: Re: [keycloak-dev] credential management
> 
> 
> 
> On 8/13/2013 7:36 AM, Stian Thorgersen wrote:
> > I like the idea of never allowing admins to see passwords. Temporary
> > passwords are not very nice. It would require to have always have a
> > verified means to communicate with the user though (email, SMS, others?).
> >
> 
> How can you implement forgot credentials then without a verified means
> to communicate with the user?  (email, sms, *AND* voice).

I think it's an acceptable requirement that users provide some verified means of communicating with them. In the event that a user has lost access to whatever that was (for example they've changed ISPs and lost their ISP provided email). In that event the user would have to call or contact supports to have them change the associated contact mechanism (which would require them to answer some horrible security questions). 

> 
> I wonder how admins feel about the "Security Questions" (i.e. mother's
> maiden name) Then there would be no need to send an email.

I think recovering an account without access to whatever verified contact details they provided when creating the account should only be possible by manually contacting support. For example there's not many colours in the world so brute-forcing that would be incredibly simple

> 
> > We should also have an option on the realm that self-registered users are
> > required to confirm their email address (send email with verification
> > link).
> >
> 
> Lol, this will be one long-ass oauth redirection protocol and client_id,
> state, redirect_uri etc... parameters are gonna be passed around over
> and over....

Yes, it could be tricky with oauth, but it is a common requirement that users verify their email address when registering so it needs to be supported somehow

> 
> > Thinking about security issues, at the moment the login form shows a error
> > message that says username is invalid. This allows attackers to confirm
> > the existence of user accounts which is not good. It should simple state
> > "invalid username/password".
> >
> 
> K, logged a JIRA:
> 
> https://issues.jboss.org/browse/KEYCLOAK-31
> 
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Monday, 12 August, 2013 10:12:31 PM
> >> Subject: [keycloak-dev] credential management
> >>
> >> Registration
> >> * new password and password confirmation
> >> * TOTP secret and QR generation and confirmation.
> >>
> >> Forgot password
> >> * Email sent to user with URL enclosed
> >> * If required by realm, ask one or more random questions i.e.:
> >> - What is your mother's maiden name?
> >> - What is the last 4 digits of your social security number?
> >> - What is the  name of your first pet?
> >> - When did you lose your virginity?
> >> - What is your birthday?
> >> * User enters new password and confirmation
> >>
> >> Change Password:
> >> * Old Password
> >> * New Password
> >> * Confirm new Password
> >>
> >> Lost Authenticator
> >> * Admin must create a temporary token and speak it to user
> >> * User can log in with this temporary token and head to their account
> >> management page.  TOken expires after a certain amount of time.
> >> or
> >> * Ask one or more random questions as in Forgot password
> >>
> >> Admin user creation:
> >> * Email with a link is sent to user.  Link prompts user for credential
> >> set up.
> >> * Or. Generate a temporary password that must reset by user on next
> >> login.  Temporary password is spoken to user or given to them by some
> >> other means.
> >>
> >>
> >> When a user logs in keycloak must check to see if
> >> * A temporary password was created and the user must enter a new one
> >> * Registration is incomplete and new credentials must be set up, i.e. an
> >> authenticator.
> >>
> >> Are there any security holes here?  ONe idea I have is that the admin
> >> would never ever see a credential.  For user creation, a temporary
> >> password is emailed to the user and never seen by the admin or the user
> >> would have to register.
> >>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list