On 1/12/2015 10:56 AM, Pedro Igor Silva wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Monday, January 12, 2015 1:39:35 PM
> Subject: Re: [keycloak-dev] Device registration and verification
>
>
>
> On 1/12/2015 10:06 AM, Pedro Igor Silva wrote:
>> ----- Original Message -----
>>> From: "Stian Thorgersen" <stian(a)redhat.com>
>>> To: "Pedro Igor Silva" <psilva(a)redhat.com>
>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
>>> Sent: Monday, January 12, 2015 5:01:35 AM
>>> Subject: Re: [keycloak-dev] Device registration and verification
>>>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Pedro Igor Silva" <psilva(a)redhat.com>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
>>>> Sent: Friday, 9 January, 2015 4:09:51 PM
>>>> Subject: Re: [keycloak-dev] Device registration and verification
>>>>
>>>> ----- Original Message -----
>>>>> From: "Stian Thorgersen" <stian(a)redhat.com>
>>>>> To: "Pedro Igor Silva" <psilva(a)redhat.com>
>>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
>>>>> Sent: Friday, January 9, 2015 11:29:01 AM
>>>>> Subject: Re: [keycloak-dev] Device registration and verification
>>>>>
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Pedro Igor Silva" <psilva(a)redhat.com>
>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>>>> Cc: "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
>>>>>> Sent: Friday, 9 January, 2015 12:44:20 PM
>>>>>> Subject: Re: [keycloak-dev] Device registration and verification
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Stian Thorgersen" <stian(a)redhat.com>
>>>>>>> To: "Pedro Igor Silva" <psilva(a)redhat.com>
>>>>>>> Cc: "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
>>>>>>> Sent: Friday, January 9, 2015 5:02:16 AM
>>>>>>> Subject: Re: [keycloak-dev] Device registration and
verification
>>>>>>>
>>>>>>> Requiring email seems unnecessary and awkward to me. The
normal flow
>>>>>>> I've
>>>>>>> seen (at least on Android) is that you simply login with
your
>>>>>>> username
>>>>>>> and
>>>>>>> password on the device. You can then go into your account
later and
>>>>>>> list
>>>>>>> devices that are registered.
>>>>>>
>>>>>> I was thinking more about browser-based scenarios. Mobile
behaves
>>>>>> differently
>>>>>> but similary. In any case, the idea is secure user account based
on the
>>>>>> devices he usually use to access something. If that changes, it
might
>>>>>> be
>>>>>> a
>>>>>> threat.
>>>>>
>>>>> Sure, but what you're actually talking about here is using email
as a
>>>>> 2nd
>>>>> factor authentication right?
>>>>
>>>> No. Email is not a 2nd factor authentication, but the code itself. Email
>>>> is
>>>> just how you send the code and also how you alert the user that someone
>>>> is
>>>> trying to access his account from a not recognized device. In this case,
>>>> the
>>>> code is just an "activation code" (not an authentication code),
we can
>>>> even
>>>> remove the code and just provide a confirmation link, for instance.
>>>>
>>>> This is not about authenticating users, but authorization. Allowing
>>>> access
>>>> only from devices previously approved by the user. Let's say you
usually
>>>> access your bank from your home computer. But for some reason, you need
>>>> temporary access from a LAN house computer. You probably don't want
to
>>>> allow
>>>> access from LAN house computers later on.
>>>>
>>>>>
>>>>> My plan was that we'd have more ways to do 2nd factor auth (sms,
email,
>>>>> google authenticator, yubikey, custom) and have an option on a realm
to
>>>>> enable "trusted" devices. If the realm has trusted devices
enabled then
>>>>> the
>>>>> user only has to use the 2nd factor authentication say every 30 days
or
>>>>> so.
>>>>
>>>> What I'm proposing is another security layer, which can be used
together
>>>> with
>>>> 2nd factor authentication.
>>>
>>> I see no difference, except for implementation details
>>
>> There is a difference. Usually you see this feature in bank sites. Or even
>> in SalesForce if you try it out. It helps providers to increase security
>> by allowing access only from devices authorized by the user. You can even
>> not use 2nd factor authentication at all.
>>
>
> How is this different than a "remember me" button?
"Remember me" will allow you to get authenticated. But if you provided only
temporary access from that device, you will not be able to proceed even with
"remember me" checked. However, if that device was approved for you and marked
as "trusted" you will be fine.
This is not about authentication, but authorization ....
Remember me is the same thing as authorizing your browser/machine.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com