[keycloak-dev] Adaptive risk login

[Marc Boorshtein]

>> >
>> > VPNs are certainly not the solution in all cases as more and more
>> > applications are exposed directly on the Internet everyday.
>>
>> Very true (as are all your other statements) but my point about VPNs
>> wasn't that more people are using VPNs as a way to protect
>> applications (probably the opposite).  Its that VPNs can be easily
>> used to bypass many of the features of adaptive authentication.  Most
>> adaptive deployments I've seen rely on geo location mappings of IP
>> ranges to determine where users are logging in from.  Use an OpenVPN
>> into a Amazon/Google/Azure/Pick-Your-Favorite-Proider network and out
>> to the internet and that feature becomes useless.
>
>
> Yep, that's an issue. There's also bot farms as well. Not many people will
> issue an attack from their home address.
>
> Still has some level of protection. For example VPNs are costly, tend to be
> rate limited.

If you're talking about a DDoS or script kiddies just running massive
sets of scripts against a target, sure but I don't think KC (or any
authentication system) will be what stops that.  That'll be a
combination of network infrastructure and web application firewalls
screening out specific exploits.  Where the value of adaptive auth
would I think be more likely is a targeted attack with a known set of
credentials where a set of actors is trying to leverage something they
have to get elevated privileges.  In which case getting a single
openvpn running on an aws account could cost as little as a few
dollars and circumvent many of the risk barometers based on source ip.


>
>
> It does depend on what level of protection you are looking for. If it's for
> a web application and you're trying to block out script kiddies and other
> people looking for easy targets the rules doesn't have to be that complex.
>

Sure, but I don't think KC (or any authentication system) is going to
stop a script kiddie.  The vulnerabilities they are generally going
after are known exploits that haven't been patched and don't require
authentication.  Just watch the logs for a known wordpress site and
you won't see any requests for authentication from trollers (unless
its with a specific exploit).  You'll see reams of trying to hit
wp-admin with known exploits to bypass authentication all-together.

Even looking at the articles mentioned, everything is theoretical.
Adaptive authentication has been around for at least 8-10 years, you'd
think if it were used to great success there would be more success
stories rather then theories.  The new part they point out is the
addition of machine learning to the process to make more intelligent
decisions, which makes sense.  Something like Google's new captcha
system.  KC would make a great integration tool for something like
that.


ps: great conversation, really enjoy these types of discussions