[keycloak-dev] Device registration and verification

Stian Thorgersen stian at redhat.com
Wed Jan 14 02:53:33 EST 2015 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 13 January, 2015 4:42:07 PM
> Subject: Re: [keycloak-dev] Device registration and verification
> 
> 
> 
> On 1/13/2015 10:22 AM, Stan Silvert wrote:
> > On 1/13/2015 9:35 AM, Bill Burke wrote:
> >>
> >> On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
> >>>> In a sense that is much more than just seamless authenticate (and
> >>>> authorize
> >>>> that computer) the user.
> >>> I'm curious to see what you're proposing in a real system, but to me it
> >>> sounds like it's similar enough that a remember me and multi factor auth
> >>> mechanism would have the same level of security without complicating
> >>> things for the user.
> >>>
> >> I don't think we need any special device registration and verification
> >> for users.  Any type of client registration should be done by app devs,
> >> not users.
> >>
> >> For browsers, "remember me" and a persistent cookie is good enough.  For
> >> mobile and native apps, a refresh token can be stored.  We should
> >> probably have per-client overrides for things like access and refresh
> >> token timeouts.  We'll eventually add Client IP features so that a user
> >> doesn't have to use 2-factor auth if they are logging in from the same
> >> device from the same IP.
> > I can tell you what my bank does.  I have the usual login/remember me
> > function.  But if I want to access something that is more sensitive than
> > my basic account balance and such, I need to authorize my device.  This
> > is done by getting the bank to send me a code via email or text.  I then
> > enter the code in the site and I'm issued a cookie so that the device
> > doesn't have to go through this process again.
> >
> 
> I would suggest the bank use OTP rather than this device registration
> you talk of.
> 
> > So this is quite different from "remember me", which only applies to
> > authentication.  If someone finds out my credentials they still can't
> > get high level authorization to my account without physical access to my
> > device.
> >
> 
> This is no different than OTP.  Hacker could find a user's password, but
> they still need the OTP device to log in.
> 
> > IMO, it would be a nice feature to implement in keycloak so that app
> > devs don't have to.
> 
> IMO, too many ways to do the same thing is not a good idea.  App devs
> should use OTP.
> 
> How you set up OTP is another separate matter.  For example, World of
> Warcraft has OTP.  The OTP generator is set up *PER DEVICE*.  So if you
> lose your iphone, you have to call up Blizzard support and answer a
> bunch of personal questions before they disable OTP.  The other option
> they have is for you to register your mobile number.  So, if you lose
> you iphone and get another, you can disable OTP through an SMS exchange
> with your new iphone.

There's also multi-level authentication. TOTP can be optional on a new device until you're trying to do something sensitive. The app can then check the authentication level provided for the specific token, if it's not high enough, redirect back to login pages on Keycloak to bump the authentication level (totp, email or whatever).

> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list