[keycloak-dev] Device registration and verification
Pedro Igor Silva
psilva at redhat.com
Tue Jan 13 10:10:16 EST 2015
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>, "Pedro Igor Silva" <psilva at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, January 13, 2015 12:35:18 PM
> Subject: Re: [keycloak-dev] Device registration and verification
>
>
>
> On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
> >> In a sense that is much more than just seamless authenticate (and
> >> authorize
> >> that computer) the user.
> >
> > I'm curious to see what you're proposing in a real system, but to me it
> > sounds like it's similar enough that a remember me and multi factor auth
> > mechanism would have the same level of security without complicating
> > things for the user.
> >
>
> I don't think we need any special device registration and verification
> for users. Any type of client registration should be done by app devs,
> not users.
>
> For browsers, "remember me" and a persistent cookie is good enough. For
> mobile and native apps, a refresh token can be stored. We should
> probably have per-client overrides for things like access and refresh
> token timeouts. We'll eventually add Client IP features so that a user
> doesn't have to use 2-factor auth if they are logging in from the same
> device from the same IP.
My proposal is all based on browsers, people using their desktops. So you can have an alias for a computer and use a cookie + IP (or even track information from the user-agent) to support the features I suggested before. If IP changed or user is using a unrecognized user-agent you notify the user. Sometimes this sucks, because your IP may change often depending on your network, but I think it is a nice feature to have.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list