[security-dev] Multi Stage Authentication
Anil.Saldhana at redhat.com
Fri Jan 25 12:33:38 EST 2013
right. Session is the key. We did have a discussion that coincided
with your thoughts.
(10:55:43 AM) asaldhan: psilva: is my email clear or I need to add more
(10:56:12 AM) psilva: asaldhan: for me is clear.
(10:58:20 AM) psilva: asaldhan: i think the credential api ca support
multi stage authentication. But u need to create a custom
(10:58:26 AM) psilva: can
(10:58:29 AM) asaldhan: psilva: right
(10:58:35 AM) asaldhan: psilva: but we do not have stage hooks
(10:59:09 AM) asaldhan: psilva: like setStage(1,
(10:59:24 AM) asaldhan: pbox
(10:59:28 AM) psilva: i see ...
(11:04:04 AM) psilva: let's take the bank example. when you receive a
sms with a code to proceed with your transaction. before sending the sms
you update a specific credential type with a expiry date (eg.: 1 hr).
The app redirects the user to a page where he must fill the code. The
user type the code and submit to the app. The app get the code and try
to validate the credential. If the code is correct and user is inside
the valid period, fine.
(11:05:02 AM) psilva: this scenario is possible, i think, using what the
(11:09:25 AM) jherson left the room (quit: Quit: Leaving).
(11:09:27 AM) asaldhan: psilva: it is not the IDM but I think we have to
deal something at the session level
(11:09:43 AM) asaldhan: psilva: like the session needs to store where
the current stage the user has reached.
(11:09:57 AM) asaldhan: psilva: the IDM can hold the stages the
(11:10:10 AM) asaldhan: psilva: but for each user, the current state is
held at the session level
(11:10:14 AM) psilva: asaldhan: got your point.
(11:10:34 AM) asaldhan: psilva: I dont think we need this usecase
implemented right now. we have to do it post pb5
(11:10:42 AM) psilva: asaldhan: pbox can handle that.
(11:10:44 AM) psilva: asaldhan: ok
(11:11:03 AM) asaldhan: psilva: since session supports attributes, I
think it can support.
(11:11:33 AM) asaldhan: psilva: but developer needs to define
(11:11:42 AM) asaldhan: psilva: that information needs to sit in the IDM IMO
(11:11:53 AM) asaldhan: psilva: maybe Agent.attributes can be used for now
(11:12:11 AM) psilva: asaldhan: seems like a workflow management ...
(11:12:17 AM) asaldhan: psilva: right
(11:12:40 AM) asaldhan: psilva: IDM processes are workflows
(11:13:15 AM) psilva: asaldhan: maybe some integration with jbpm :)
On 01/25/2013 11:20 AM, Bill Burke wrote:
> So, you need the concept of a session. Something you don't need in the
> web tier, but will need in other tiers.
> On 1/25/2013 11:47 AM, Anil Saldhana wrote:
>> Hi All,
>> I have been thinking about the multi stage authentication process
>> that Bill has been mentioning. Basically, the discussions have been
>> confusing between multi mechanism authentication vs multi stage
>> In multi mechanism authentication, the framework needs to support
>> multiple authentication mechanisms such as Credential, X509, OTP, Custom
>> etc, given different entry points into the application -> browser,
>> mobile, rest etc.
>> In multi stage authentication, the framework needs to provide hooks to
>> define the stages in a complex authentication process for high risk
>> applications such as banking, credit etc.
>> Some of the stages are highlighted here:
>> credential ------> Knowledge based authentication (Questions and
>> Answers) --------------->Index Page
>> credential -------> KBA ------------> Mobile SMS Code
>> -------------> Money Transfer Page
>> credential ------> OTP -----------> Index Page
>> credential ----------> Index Page ---------> OTP ----------> Money
>> Transfer Page
>> stage1 -------> stage2 -------------> Resource
>> So if there is an application developer who wishes to incorporate stages
>> into the authentication process, he can use the IDM underneath to hold
>> the state of the stages as well as will need hooks into defining the
>> authentication type for each stage.
>> security-dev mailing list
>> security-dev at lists.jboss.org
More information about the security-dev