[keycloak-dev] Device registration and verification
Pedro Igor Silva
psilva at redhat.com
Mon Jan 12 13:00:10 EST 2015
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, January 12, 2015 3:32:49 PM
> Subject: Re: [keycloak-dev] Device registration and verification
>
>
>
> On 1/12/2015 10:56 AM, Pedro Igor Silva wrote:
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Monday, January 12, 2015 1:39:35 PM
> >> Subject: Re: [keycloak-dev] Device registration and verification
> >>
> >>
> >>
> >> On 1/12/2015 10:06 AM, Pedro Igor Silva wrote:
> >>> ----- Original Message -----
> >>>> From: "Stian Thorgersen" <stian at redhat.com>
> >>>> To: "Pedro Igor Silva" <psilva at redhat.com>
> >>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> >>>> Sent: Monday, January 12, 2015 5:01:35 AM
> >>>> Subject: Re: [keycloak-dev] Device registration and verification
> >>>>
> >>>>
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Pedro Igor Silva" <psilva at redhat.com>
> >>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> >>>>> Sent: Friday, 9 January, 2015 4:09:51 PM
> >>>>> Subject: Re: [keycloak-dev] Device registration and verification
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> >>>>>> To: "Pedro Igor Silva" <psilva at redhat.com>
> >>>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> >>>>>> Sent: Friday, January 9, 2015 11:29:01 AM
> >>>>>> Subject: Re: [keycloak-dev] Device registration and verification
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>> From: "Pedro Igor Silva" <psilva at redhat.com>
> >>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> >>>>>>> Sent: Friday, 9 January, 2015 12:44:20 PM
> >>>>>>> Subject: Re: [keycloak-dev] Device registration and verification
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> >>>>>>>> To: "Pedro Igor Silva" <psilva at redhat.com>
> >>>>>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> >>>>>>>> Sent: Friday, January 9, 2015 5:02:16 AM
> >>>>>>>> Subject: Re: [keycloak-dev] Device registration and verification
> >>>>>>>>
> >>>>>>>> Requiring email seems unnecessary and awkward to me. The normal flow
> >>>>>>>> I've
> >>>>>>>> seen (at least on Android) is that you simply login with your
> >>>>>>>> username
> >>>>>>>> and
> >>>>>>>> password on the device. You can then go into your account later and
> >>>>>>>> list
> >>>>>>>> devices that are registered.
> >>>>>>>
> >>>>>>> I was thinking more about browser-based scenarios. Mobile behaves
> >>>>>>> differently
> >>>>>>> but similary. In any case, the idea is secure user account based on
> >>>>>>> the
> >>>>>>> devices he usually use to access something. If that changes, it might
> >>>>>>> be
> >>>>>>> a
> >>>>>>> threat.
> >>>>>>
> >>>>>> Sure, but what you're actually talking about here is using email as a
> >>>>>> 2nd
> >>>>>> factor authentication right?
> >>>>>
> >>>>> No. Email is not a 2nd factor authentication, but the code itself.
> >>>>> Email
> >>>>> is
> >>>>> just how you send the code and also how you alert the user that someone
> >>>>> is
> >>>>> trying to access his account from a not recognized device. In this
> >>>>> case,
> >>>>> the
> >>>>> code is just an "activation code" (not an authentication code), we can
> >>>>> even
> >>>>> remove the code and just provide a confirmation link, for instance.
> >>>>>
> >>>>> This is not about authenticating users, but authorization. Allowing
> >>>>> access
> >>>>> only from devices previously approved by the user. Let's say you
> >>>>> usually
> >>>>> access your bank from your home computer. But for some reason, you need
> >>>>> temporary access from a LAN house computer. You probably don't want to
> >>>>> allow
> >>>>> access from LAN house computers later on.
> >>>>>
> >>>>>>
> >>>>>> My plan was that we'd have more ways to do 2nd factor auth (sms,
> >>>>>> email,
> >>>>>> google authenticator, yubikey, custom) and have an option on a realm
> >>>>>> to
> >>>>>> enable "trusted" devices. If the realm has trusted devices enabled
> >>>>>> then
> >>>>>> the
> >>>>>> user only has to use the 2nd factor authentication say every 30 days
> >>>>>> or
> >>>>>> so.
> >>>>>
> >>>>> What I'm proposing is another security layer, which can be used
> >>>>> together
> >>>>> with
> >>>>> 2nd factor authentication.
> >>>>
> >>>> I see no difference, except for implementation details
> >>>
> >>> There is a difference. Usually you see this feature in bank sites. Or
> >>> even
> >>> in SalesForce if you try it out. It helps providers to increase security
> >>> by allowing access only from devices authorized by the user. You can even
> >>> not use 2nd factor authentication at all.
> >>>
> >>
> >> How is this different than a "remember me" button?
> >
> > "Remember me" will allow you to get authenticated. But if you provided only
> > temporary access from that device, you will not be able to proceed even
> > with "remember me" checked. However, if that device was approved for you
> > and marked as "trusted" you will be fine.
> >
> > This is not about authentication, but authorization ....
> >
>
> Remember me is the same thing as authorizing your browser/machine.
Yes. But you don't track the devices (or pcs), when was your last login from a device, define how long you want to "remember" that device or if you just want a single access from that computer,
receive notifications from access from unauthorized devices and so forth.
In a sense that is much more than just seamless authenticate (and authorize that computer) the user.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list