<div dir="ltr"><div class="gmail_extra">Should I add these in JIRA as feature requests?<br><br><div class="gmail_quote">On Thu, Mar 20, 2014 at 3:47 PM, Adrian Mitev <span dir="ltr"><<a href="mailto:adrian.mitev@gmail.com" target="_blank">adrian.mitev@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="">On Thu, Mar 20, 2014 at 3:22 PM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><br>
<br>
On 3/20/2014 6:47 AM, Adrian Mitev wrote:<br>
> Hi guys! I'm very interested in Keycloak and would like to share with<br>
> you some ideas that come from user requirements I currently have or had<br>
> in the past that you may find useful to add in Keycloak.<br>
> * Automatically revoke access to user account after a (configurable)<br>
> number of invalid sign-on passwords until the system administrator has<br>
> unlocked the account or automatically after an administrator-defined<br>
> interval - I know that with such feature an attacker could lock user<br>
> accounts by simply knowing usernames/emails. However I have a case of an<br>
> Intranet application that is accessible only inside the company and<br>
> could trace such attackers by their ip addresses.<br>
<br>
</div>Working on Brute force detection now. First iteration will increasingly<br>
add a "not before" time on successive login failures. Second iteration<br>
will include IP address options.<br>
<div><br>
> * Record and report (i.e. email sending) on failed login attempts outlining<br>
> * Force password changes at regular (configurable) intervals or<br>
> * Automatically reset the password and send a new one to the user via email<br>
> * Can ensure that the new password has not been used before in a number<br>
> (configurable) of password changes<br>
> * Login using digital signature in a smart card or p12 file<br>
<br>
</div>This something different than OTP?<br></blockquote></div><div>A customer company has a policy that a password for user account should be changed every week. This counts for special type of users that access more sensitive information.<br>
<br></div><div class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><br>
> * Security questions for password recovery<br>
><br>
> Other that I found as issues in other Identity Providers<br>
> * Support many accounts (~10K) within a reasonable amount of time<br>
> * When providing an authentication client (maven dependency) add only<br>
> the needed set of dependencies. I know this sounds silly but I have<br>
> experience with a client library provided by the Identity Provider that<br>
> had a compile dependency to apache ant...<br>
><br>
<br>
</div>So far our adapters are installed once onto the app server.<br>
<span><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote></div></div><br></div></div>
</blockquote></div><br></div></div>