----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, January 12, 2015 3:32:49 PM
Subject: Re: [keycloak-dev] Device registration and verification
On 1/12/2015 10:56 AM, Pedro Igor Silva wrote:
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, January 12, 2015 1:39:35 PM
>> Subject: Re: [keycloak-dev] Device registration and verification
>>
>>
>>
>> On 1/12/2015 10:06 AM, Pedro Igor Silva wrote:
>>> ----- Original Message -----
>>>> From: "Stian Thorgersen" <stian(a)redhat.com>
>>>> To: "Pedro Igor Silva" <psilva(a)redhat.com>
>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
>>>> Sent: Monday, January 12, 2015 5:01:35 AM
>>>> Subject: Re: [keycloak-dev] Device registration and verification
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Pedro Igor Silva" <psilva(a)redhat.com>
>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
>>>>> Sent: Friday, 9 January, 2015 4:09:51 PM
>>>>> Subject: Re: [keycloak-dev] Device registration and verification
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Stian Thorgersen" <stian(a)redhat.com>
>>>>>> To: "Pedro Igor Silva" <psilva(a)redhat.com>
>>>>>> Cc: "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
>>>>>> Sent: Friday, January 9, 2015 11:29:01 AM
>>>>>> Subject: Re: [keycloak-dev] Device registration and
verification
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Pedro Igor Silva"
<psilva(a)redhat.com>
>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>>>>> Cc: "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
>>>>>>> Sent: Friday, 9 January, 2015 12:44:20 PM
>>>>>>> Subject: Re: [keycloak-dev] Device registration and
verification
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Stian Thorgersen"
<stian(a)redhat.com>
>>>>>>>> To: "Pedro Igor Silva"
<psilva(a)redhat.com>
>>>>>>>> Cc: "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
>>>>>>>> Sent: Friday, January 9, 2015 5:02:16 AM
>>>>>>>> Subject: Re: [keycloak-dev] Device registration and
verification
>>>>>>>>
>>>>>>>> Requiring email seems unnecessary and awkward to me. The
normal flow
>>>>>>>> I've
>>>>>>>> seen (at least on Android) is that you simply login with
your
>>>>>>>> username
>>>>>>>> and
>>>>>>>> password on the device. You can then go into your
account later and
>>>>>>>> list
>>>>>>>> devices that are registered.
>>>>>>>
>>>>>>> I was thinking more about browser-based scenarios. Mobile
behaves
>>>>>>> differently
>>>>>>> but similary. In any case, the idea is secure user account
based on
>>>>>>> the
>>>>>>> devices he usually use to access something. If that changes,
it might
>>>>>>> be
>>>>>>> a
>>>>>>> threat.
>>>>>>
>>>>>> Sure, but what you're actually talking about here is using
email as a
>>>>>> 2nd
>>>>>> factor authentication right?
>>>>>
>>>>> No. Email is not a 2nd factor authentication, but the code itself.
>>>>> Email
>>>>> is
>>>>> just how you send the code and also how you alert the user that
someone
>>>>> is
>>>>> trying to access his account from a not recognized device. In this
>>>>> case,
>>>>> the
>>>>> code is just an "activation code" (not an authentication
code), we can
>>>>> even
>>>>> remove the code and just provide a confirmation link, for instance.
>>>>>
>>>>> This is not about authenticating users, but authorization. Allowing
>>>>> access
>>>>> only from devices previously approved by the user. Let's say
you
>>>>> usually
>>>>> access your bank from your home computer. But for some reason, you
need
>>>>> temporary access from a LAN house computer. You probably don't
want to
>>>>> allow
>>>>> access from LAN house computers later on.
>>>>>
>>>>>>
>>>>>> My plan was that we'd have more ways to do 2nd factor auth
(sms,
>>>>>> email,
>>>>>> google authenticator, yubikey, custom) and have an option on a
realm
>>>>>> to
>>>>>> enable "trusted" devices. If the realm has trusted
devices enabled
>>>>>> then
>>>>>> the
>>>>>> user only has to use the 2nd factor authentication say every 30
days
>>>>>> or
>>>>>> so.
>>>>>
>>>>> What I'm proposing is another security layer, which can be used
>>>>> together
>>>>> with
>>>>> 2nd factor authentication.
>>>>
>>>> I see no difference, except for implementation details
>>>
>>> There is a difference. Usually you see this feature in bank sites. Or
>>> even
>>> in SalesForce if you try it out. It helps providers to increase security
>>> by allowing access only from devices authorized by the user. You can even
>>> not use 2nd factor authentication at all.
>>>
>>
>> How is this different than a "remember me" button?
>
> "Remember me" will allow you to get authenticated. But if you provided
only
> temporary access from that device, you will not be able to proceed even
> with "remember me" checked. However, if that device was approved for you
> and marked as "trusted" you will be fine.
>
> This is not about authentication, but authorization ....
>
Remember me is the same thing as authorizing your browser/machine.
Yes. But you don't track the devices (or pcs), when was your last login from a device,
define how long you want to "remember" that device or if you just want a single
access from that computer,
receive notifications from access from unauthorized devices and so forth.
In a sense that is much more than just seamless authenticate (and authorize that computer)
the user.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com