[keycloak-dev] Device registration and verification

[Stian Thorgersen]

----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> Sent: Friday, 9 January, 2015 12:44:20 PM
> Subject: Re: [keycloak-dev] Device registration and verification
> 
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Pedro Igor Silva" <psilva at redhat.com>
> > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > Sent: Friday, January 9, 2015 5:02:16 AM
> > Subject: Re: [keycloak-dev] Device registration and verification
> > 
> > Requiring email seems unnecessary and awkward to me. The normal flow I've
> > seen (at least on Android) is that you simply login with your username and
> > password on the device. You can then go into your account later and list
> > devices that are registered.
> 
> I was thinking more about browser-based scenarios. Mobile behaves differently
> but similary. In any case, the idea is secure user account based on the
> devices he usually use to access something. If that changes, it might be a
> threat.

Sure, but what you're actually talking about here is using email as a 2nd factor authentication right?

My plan was that we'd have more ways to do 2nd factor auth (sms, email, google authenticator, yubikey, custom) and have an option on a realm to enable "trusted" devices. If the realm has trusted devices enabled then the user only has to use the 2nd factor authentication say every 30 days or so.

> 
> > 
> > IMO we need to have a bigger discussion on how mobile and devices which
> > includes the AeroGear guys.
> > 
> > ----- Original Message -----
> > > From: "Pedro Igor Silva" <psilva at redhat.com>
> > > To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > Sent: Friday, 9 January, 2015 12:09:47 AM
> > > Subject: [keycloak-dev] Device registration and verification
> > > 
> > > Hi,
> > > 
> > >    I was wondering if we can support device registration and verification
> > >    during login as follows:
> > > 
> > >        1) Users can enable/disable behavior in admin console for a
> > >        specific
> > >        realm.
> > >        2) After a successful login, KC checks if the user's device is
> > >        known.
> > >        For instance, Browser and Operating System.
> > >        3) If not recognized, KC shows a page asking user if he wants to
> > >        enable the device.
> > >        4) KC sends an email to user with a code.
> > >        5) When trying to login again, user must provide the code to
> > >        register
> > >        the new device and get authenticated.
> > >        6) For now on, users can authenticate without asking for
> > >        permission
> > >        if
> > >        using the same device.
> > > 
> > >    Any thoughts ?
> > > 
> > > Regards.
> > > Pedro Igor
> > >     
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > 
> > 
>