[security-dev] Multi Stage Authentication
Bill Burke
bburke at redhat.com
Fri Jan 25 12:20:02 EST 2013
So, you need the concept of a session. Something you don't need in the
web tier, but will need in other tiers.
On 1/25/2013 11:47 AM, Anil Saldhana wrote:
> Hi All,
> I have been thinking about the multi stage authentication process
> that Bill has been mentioning. Basically, the discussions have been
> confusing between multi mechanism authentication vs multi stage
> authentication.
>
> In multi mechanism authentication, the framework needs to support
> multiple authentication mechanisms such as Credential, X509, OTP, Custom
> etc, given different entry points into the application -> browser,
> mobile, rest etc.
>
> In multi stage authentication, the framework needs to provide hooks to
> define the stages in a complex authentication process for high risk
> applications such as banking, credit etc.
>
> Some of the stages are highlighted here:
> credential ------> Knowledge based authentication (Questions and
> Answers) --------------->Index Page
> credential -------> KBA ------------> Mobile SMS Code
> -------------> Money Transfer Page
>
> credential ------> OTP -----------> Index Page
>
> credential ----------> Index Page ---------> OTP ----------> Money
> Transfer Page
>
> Generically:
> stage1 -------> stage2 -------------> Resource
>
> So if there is an application developer who wishes to incorporate stages
> into the authentication process, he can use the IDM underneath to hold
> the state of the stages as well as will need hooks into defining the
> authentication type for each stage.
>
> Thoughts?
>
> Regards,
> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list