[keycloak-dev] Adaptive risk login

Wed Aug 31 02:22:01 EDT 2016

user(s) attached device cookies will definitive add a lot of value to KC.
Simple enough to handle.

+1

Best regards
Mit freundlichen Grüßen
Cordialement

Francis Pouatcha
Founder and Technical Lead Group Adorsys

LinkedIn: http://www.linkedin.com/pub/francis-pouatcha/8/35a/542
adorsys GmbH & Co. KG, Germany:
http://www.youtube.com/watch?v=rVRkFGUNexo&authuser=0
Adorsys S.A., Cameroon: "African Software Competence Center"
Open https://github.com/adorsys

Cell USA: +1 770 329 7026
Cell Germany: +49 172 18 16 074
Cell Cameroon: +237 51 74 71 99

On Tue, Aug 30, 2016 at 11:31 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

>
>
> On 29 August 2016 at 19:06, Marc Boorshtein <marc.boorshtein@
> tremolosecurity.com> wrote:
>
>> >> >
>> >> > VPNs are certainly not the solution in all cases as more and more
>> >> > applications are exposed directly on the Internet everyday.
>> >>
>> >> Very true (as are all your other statements) but my point about VPNs
>> >> wasn't that more people are using VPNs as a way to protect
>> >> applications (probably the opposite).  Its that VPNs can be easily
>> >> used to bypass many of the features of adaptive authentication.  Most
>> >> adaptive deployments I've seen rely on geo location mappings of IP
>> >> ranges to determine where users are logging in from.  Use an OpenVPN
>> >> into a Amazon/Google/Azure/Pick-Your-Favorite-Proider network and out
>> >> to the internet and that feature becomes useless.
>> >
>> >
>> > Yep, that's an issue. There's also bot farms as well. Not many people
>> will
>> > issue an attack from their home address.
>> >
>> > Still has some level of protection. For example VPNs are costly, tend
>> to be
>> > rate limited.
>>
>> If you're talking about a DDoS or script kiddies just running massive
>> sets of scripts against a target, sure but I don't think KC (or any
>> authentication system) will be what stops that.  That'll be a
>> combination of network infrastructure and web application firewalls
>> screening out specific exploits.  Where the value of adaptive auth
>> would I think be more likely is a targeted attack with a known set of
>> credentials where a set of actors is trying to leverage something they
>> have to get elevated privileges.  In which case getting a single
>> openvpn running on an aws account could cost as little as a few
>> dollars and circumvent many of the risk barometers based on source ip.
>
>
>>
>> >
>> >
>> > It does depend on what level of protection you are looking for. If it's
>> for
>> > a web application and you're trying to block out script kiddies and
>> other
>> > people looking for easy targets the rules doesn't have to be that
>> complex.
>> >
>>
>> Sure, but I don't think KC (or any authentication system) is going to
>> stop a script kiddie.  The vulnerabilities they are generally going
>> after are known exploits that haven't been patched and don't require
>> authentication.  Just watch the logs for a known wordpress site and
>> you won't see any requests for authentication from trollers (unless
>> its with a specific exploit).  You'll see reams of trying to hit
>> wp-admin with known exploits to bypass authentication all-together.
>>
>
> It's certainly not going to stop attacks going after known exploits. The
> only real defense against that is limiting what's exposed and making sure
> everything that is exposed always has the latest security patches. The
> latter being one good reason for using a supported product rather than a
> community project as you are able to get patches to older versions as well
> as retrieve patches prior to the vulnerabilities being made public.
>
> Adaptive authentication could for instance stop someone trying to use
> common passwords with a list of known usernames. We have a rather naive
> brute force protection in Keycloak that prevents that to some degree, but
> it's far from sophisticated enough. For example it prevents many guesses to
> one user, but not few guesses to many users. However, that would more
> likely be the job of a intrusion detection system and firewalls to stop
> those type of attacks in either case.
>
>
>>
>> Even looking at the articles mentioned, everything is theoretical.
>> Adaptive authentication has been around for at least 8-10 years, you'd
>> think if it were used to great success there would be more success
>> stories rather then theories.  The new part they point out is the
>> addition of machine learning to the process to make more intelligent
>> decisions, which makes sense.  Something like Google's new captcha
>> system.  KC would make a great integration tool for something like
>> that.
>>
>
> You're right. Simple rules like an IP range are just not going to cut it.
> Much more complex and intelligent processing of data is required. If the
> rules are to defensive you also end up blocking legitimate users. In which
> case you need a way for the legitimate user to prove they are who they say
> you are. In which case you can send a mail or even use Google's reCAPTCHA.
> Even sending an email when you've detected a login from a new machine is
> useful to at least detect malicious access.
>
> One thing we should at least do is to add a device cookie which includes
> the user-id that is signed with the realm key. This would allow us to
> identify a device that has been used before. If we detect a new device we
> can introduce options such as send an email to verify the device, display a
> reCAPTCHA or even simply send an email to the user to notify about the
> login.
>
>
>>
>>
>> ps: great conversation, really enjoy these types of discussions
>>
>
> +1000
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160831/5186a6bc/attachment-0001.html 