[keycloak-dev] Device registration and verification

Stian Thorgersen stian at redhat.com
Tue Jan 13 09:37:55 EST 2015



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>, "Pedro Igor Silva" <psilva at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 13 January, 2015 3:35:18 PM
> Subject: Re: [keycloak-dev] Device registration and verification
> 
> 
> 
> On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
> >> In a sense that is much more than just seamless authenticate (and
> >> authorize
> >> that computer) the user.
> >
> > I'm curious to see what you're proposing in a real system, but to me it
> > sounds like it's similar enough that a remember me and multi factor auth
> > mechanism would have the same level of security without complicating
> > things for the user.
> >
> 
> I don't think we need any special device registration and verification
> for users.  Any type of client registration should be done by app devs,
> not users.
> 
> For browsers, "remember me" and a persistent cookie is good enough.  For
> mobile and native apps, a refresh token can be stored.  We should
> probably have per-client overrides for things like access and refresh
> token timeouts.  We'll eventually add Client IP features so that a user
> doesn't have to use 2-factor auth if they are logging in from the same
> device from the same IP.

IMO not requiring 2-factor auth from same device should use a cookie not IP

> 
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list