[keycloak-dev] Adaptive risk login

[Thomas Darimont]

Hello group,

I just add a look at a nice feature from Forge Rock AM called:
"Adaptive risk login".

>From the book "Open Source Identity Management Patterns using OpenAM 10.x":
"Adaptive Risk authentication allows OpenAM to determine the risk of a
particular
authentication, and decide whether additional authentication steps are
required due
to the risk."

"The Adaptive Risk module has a risk threshold that is set manually, and by
default
is set to 1 . There are a variety of different authentication risks which
are each
given a score. If the value of the score meets or exceeds the risk
threshold, then the
authentication fails."

- Risk Threshold exceeded - if inherent risk for a particular (client
login) exceeds theshold
- Failed Authentications - if user had failed authentications recently
raise risk
- IP Address Range - ip IP not in IP range raise risk
- IP Address History - if IP not in IP address history raise risk
- Known cookie - if a certain cookie + value not present raise risk
- Device cookie - if not a known or trusted device raise risk
- Time since last login - if last login > x days raise risk
- Profile attribute - if a profile (user) attribute is set raise risk
- GeoLocation - if IP geolocation based on
http://www.maxmind.com/app/country is not from a certain area raise risk
- RequestHeader - if certain request header is not present raise risk

These checks can be combined / inverted which provides one with a flexible
system to specify rules.

I think a functionality like that would be great addition to Keycloak. Some
of this
functionality is already partially possible with Keycloak but only for some
authenticators.
Would be great to have more general support in that regard.

Cheers,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160828/c8fa4b88/attachment.html