[keycloak-dev] Device registration and verification

Bill Burke bburke at redhat.com
Tue Jan 13 10:42:07 EST 2015 


On 1/13/2015 10:22 AM, Stan Silvert wrote:
> On 1/13/2015 9:35 AM, Bill Burke wrote:
>>
>> On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
>>>> In a sense that is much more than just seamless authenticate (and authorize
>>>> that computer) the user.
>>> I'm curious to see what you're proposing in a real system, but to me it sounds like it's similar enough that a remember me and multi factor auth mechanism would have the same level of security without complicating things for the user.
>>>
>> I don't think we need any special device registration and verification
>> for users.  Any type of client registration should be done by app devs,
>> not users.
>>
>> For browsers, "remember me" and a persistent cookie is good enough.  For
>> mobile and native apps, a refresh token can be stored.  We should
>> probably have per-client overrides for things like access and refresh
>> token timeouts.  We'll eventually add Client IP features so that a user
>> doesn't have to use 2-factor auth if they are logging in from the same
>> device from the same IP.
> I can tell you what my bank does.  I have the usual login/remember me
> function.  But if I want to access something that is more sensitive than
> my basic account balance and such, I need to authorize my device.  This
> is done by getting the bank to send me a code via email or text.  I then
> enter the code in the site and I'm issued a cookie so that the device
> doesn't have to go through this process again.
>

I would suggest the bank use OTP rather than this device registration 
you talk of.

> So this is quite different from "remember me", which only applies to
> authentication.  If someone finds out my credentials they still can't
> get high level authorization to my account without physical access to my
> device.
>

This is no different than OTP.  Hacker could find a user's password, but 
they still need the OTP device to log in.

> IMO, it would be a nice feature to implement in keycloak so that app
> devs don't have to.

IMO, too many ways to do the same thing is not a good idea.  App devs 
should use OTP.

How you set up OTP is another separate matter.  For example, World of 
Warcraft has OTP.  The OTP generator is set up *PER DEVICE*.  So if you 
lose your iphone, you have to call up Blizzard support and answer a 
bunch of personal questions before they disable OTP.  The other option 
they have is for you to register your mobile number.  So, if you lose 
you iphone and get another, you can disable OTP through an SMS exchange 
with your new iphone.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list