[keycloak-dev] Device registration and verification

Mon Jan 12 02:01:35 EST 2015


----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> Sent: Friday, 9 January, 2015 4:09:51 PM
> Subject: Re: [keycloak-dev] Device registration and verification
> 
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Pedro Igor Silva" <psilva at redhat.com>
> > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > Sent: Friday, January 9, 2015 11:29:01 AM
> > Subject: Re: [keycloak-dev] Device registration and verification
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Pedro Igor Silva" <psilva at redhat.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > Sent: Friday, 9 January, 2015 12:44:20 PM
> > > Subject: Re: [keycloak-dev] Device registration and verification
> > > 
> > > ----- Original Message -----
> > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > To: "Pedro Igor Silva" <psilva at redhat.com>
> > > > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > > Sent: Friday, January 9, 2015 5:02:16 AM
> > > > Subject: Re: [keycloak-dev] Device registration and verification
> > > > 
> > > > Requiring email seems unnecessary and awkward to me. The normal flow
> > > > I've
> > > > seen (at least on Android) is that you simply login with your username
> > > > and
> > > > password on the device. You can then go into your account later and
> > > > list
> > > > devices that are registered.
> > > 
> > > I was thinking more about browser-based scenarios. Mobile behaves
> > > differently
> > > but similary. In any case, the idea is secure user account based on the
> > > devices he usually use to access something. If that changes, it might be
> > > a
> > > threat.
> > 
> > Sure, but what you're actually talking about here is using email as a 2nd
> > factor authentication right?
> 
> No. Email is not a 2nd factor authentication, but the code itself. Email is
> just how you send the code and also how you alert the user that someone is
> trying to access his account from a not recognized device. In this case, the
> code is just an "activation code" (not an authentication code), we can even
> remove the code and just provide a confirmation link, for instance.
> 
> This is not about authenticating users, but authorization. Allowing access
> only from devices previously approved by the user. Let's say you usually
> access your bank from your home computer. But for some reason, you need
> temporary access from a LAN house computer. You probably don't want to allow
> access from LAN house computers later on.
> 
> > 
> > My plan was that we'd have more ways to do 2nd factor auth (sms, email,
> > google authenticator, yubikey, custom) and have an option on a realm to
> > enable "trusted" devices. If the realm has trusted devices enabled then the
> > user only has to use the 2nd factor authentication say every 30 days or so.
> 
> What I'm proposing is another security layer, which can be used together with
> 2nd factor authentication.

I see no difference, except for implementation details

> 
> > 
> > > 
> > > > 
> > > > IMO we need to have a bigger discussion on how mobile and devices which
> > > > includes the AeroGear guys.
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Pedro Igor Silva" <psilva at redhat.com>
> > > > > To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > > > Sent: Friday, 9 January, 2015 12:09:47 AM
> > > > > Subject: [keycloak-dev] Device registration and verification
> > > > > 
> > > > > Hi,
> > > > > 
> > > > >    I was wondering if we can support device registration and
> > > > >    verification
> > > > >    during login as follows:
> > > > > 
> > > > >        1) Users can enable/disable behavior in admin console for a
> > > > >        specific
> > > > >        realm.
> > > > >        2) After a successful login, KC checks if the user's device is
> > > > >        known.
> > > > >        For instance, Browser and Operating System.
> > > > >        3) If not recognized, KC shows a page asking user if he wants
> > > > >        to
> > > > >        enable the device.
> > > > >        4) KC sends an email to user with a code.
> > > > >        5) When trying to login again, user must provide the code to
> > > > >        register
> > > > >        the new device and get authenticated.
> > > > >        6) For now on, users can authenticate without asking for
> > > > >        permission
> > > > >        if
> > > > >        using the same device.
> > > > > 
> > > > >    Any thoughts ?
> > > > > 
> > > > > Regards.
> > > > > Pedro Igor
> > > > >     
> > > > > _______________________________________________
> > > > > keycloak-dev mailing list
> > > > > keycloak-dev at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > > 
> > > > 
> > > 
> > 
>