[security-dev] managing OTP
Pedro Igor Silva
psilva at redhat.com
Mon Aug 12 09:38:00 EDT 2013
----- Original Message -----
> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
> To: security-dev at lists.jboss.org
> Sent: Monday, August 12, 2013 10:23:07 AM
> Subject: Re: [security-dev] managing OTP
> On 08/12/2013 08:20 AM, Bill Burke wrote:
> > On 8/12/2013 6:19 AM, Pedro Igor Silva wrote:
> >> ----- Original Message -----
> >>> From: "Bill Burke" <bburke at redhat.com>
> >>> To: security-dev at lists.jboss.org
> >>> Sent: Sunday, August 11, 2013 8:58:27 AM
> >>> Subject: [security-dev] managing OTP
> >>> There's a few issues with managing credentials. The first is, there is
> >>> no way to remove a credential. This is essential to TOTP as you may end
> >>> up with a lost or obsolete device.
> >>> https://issues.jboss.org/browse/PLINK-236
> >> I missed that too and have discussed that with Shane a long time ago. The
> >> idea is to have a history of all account's credentials.
> > The reason for this is?
> >> If a devices becomes obsolete, you just set expiration date.
> > Its not just TOTP, same with password. Every time a user has a lost
> > password two new obsolete ones are added to the database: temporary
> > one, then a password change. Maybe not such a big deal with a few
> > users, but when you get to tens, hundreds of thousands of users, won't
> > this kind of be a problem?
> There will be thousands of users for PicketLink IDM. As Bolek can
> attest, PL 1.x IDM had that usage.
> Pedro, lets review this password/credential issue.
Let's do this.
> >>> THe 2nd is that for TOTP, you will want to check every device on a
> >>> credential validation rather than just one:
> >>> https://issues.jboss.org/browse/PLINK-237
> >>> Our own VPN allows me to set up multiple tokens. I have one on my
> >>> iphone and ipad just in case I lose one or the other. OUr VPN allows me
> >>> to use either to login in.
> >> Is not a valid option you iterate over user's devices and try each one ?
> > Sure, this is why this is an enhancement.
> security-dev mailing list
> security-dev at lists.jboss.org
More information about the security-dev