[security-dev] managing OTP

Anil Saldhana Anil.Saldhana at redhat.com
Mon Aug 12 09:23:07 EDT 2013

On 08/12/2013 08:20 AM, Bill Burke wrote:
> On 8/12/2013 6:19 AM, Pedro Igor Silva wrote:
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: security-dev at lists.jboss.org
>>> Sent: Sunday, August 11, 2013 8:58:27 AM
>>> Subject: [security-dev] managing OTP
>>> There's a few issues with managing credentials.  The first is, there is
>>> no way to remove a credential.  This is essential to TOTP as you may end
>>> up with a lost or obsolete device.
>>> https://issues.jboss.org/browse/PLINK-236
>> I missed that too and have discussed that with Shane a long time ago. The idea is to have a history of all account's credentials.
> The reason for this is?
>> If a devices becomes obsolete, you just set expiration date.
> Its not just TOTP, same with password.  Every time a user has a lost
> password two new obsolete ones are added to the database:  temporary
> one, then a password change.  Maybe not such a big deal with a few
> users, but when you get to tens, hundreds of thousands of users, won't
> this kind of be a problem?
There will be thousands of users for PicketLink IDM. As Bolek can 
attest, PL 1.x IDM had that usage.
Pedro, lets review this password/credential issue.

>>> THe 2nd is that for TOTP, you will want to check every device on a
>>> credential validation rather than just one:
>>> https://issues.jboss.org/browse/PLINK-237
>>> Our own VPN allows me to set up multiple tokens.  I have one on my
>>> iphone and ipad just in case I lose one or the other.  OUr VPN allows me
>>> to use either to login in.
>> Is not a valid option you iterate over user's devices and try each one ?
> Sure, this is why this is an enhancement.

More information about the security-dev mailing list