Re: [keycloak-dev] Adaptive risk login

+1. Adaptive security by itself is not something trivial and it usually implies some complex event processing, analytics and integration with different sources of information. Considering that today we need to consider a very heterogeneous environment, where users are distributed across different regions, with different local policies, using different devices and with a high demand for information sharing, adaptive security plays an important role at this regard. We can extend this functionality not only to authentication/login but also to when authorizing access to protected resources. ----- Original Message ----- From: "Stian Thorgersen" <sthorger(a)redhat.com&gt; To: "Marc Boorshtein" <marc.boorshtein(a)tremolosecurity.com&gt; Cc: "keycloak-dev" <keycloak-dev(a)lists.jboss.org&gt; Sent: Monday, August 29, 2016 10:48:10 AM Subject: Re: [keycloak-dev] Adaptive risk login Doesn't seem adapter authentication is dead: https://www.google.no/?ion=1&espv=2#q=adaptive+authentication&tbm... VPNs are certainly not the solution in all cases as more and more applications are exposed directly on the Internet everyday. Two factor is certainly improving security ten folds, but there's also issues with those. A token can be lost or compromised. There's needs for password recovery. End of the day the more layers of security you have the less likely you'll get compromised. VPNs + two factor + adaptive authentication might just combined be enough to give you the level you need. We do have adaptive authentication on the radar for Keycloak. There's a fairly good chance it's something we'll look into for 3.x (2017). As such I'd love to hear more what others think about it. On 28 August 2016 at 14:32, Marc Boorshtein < marc.boorshtein(a)tremolosecurity.com > wrote: On Aug 28, 2016 7:56 AM, "Thomas Darimont" < thomas.darimont(a)googlemail.com > wrote: Adaptive risk was really popular around 2010 as a multi-factor without a token. Mainly banks didnt want to hand out rsa secureid tokens. They used a bunch of factors like your flash version, source IP, etc. It turned out to be more trouble then it's worth. Between the ease of creating soft tokens like totp and the popularity of VPNs the adaptive risk approach proved to be mostly pointless. The amount of statistical data needed to make these decisions useful, and the amount of skill needed to configure was outweighed by simpler multi factor implementations. Oracles adaptive access manager, the most notable enterprise adaptive access manager, was merged into Oracle access manager mainly for the couple of alternative login methods but the adaptive part has disappeared. My guess is this was a "me too"/checkbox feature. I've done several forgerock implementations and this comes up as a theoretical discussion but never goes beyond that. I've seen a few machine learning based approaches to authentication but they go well beyond tracking a risk score, more behavior tracking stuff. The couple I've seen end up integrating via saml or oidc anyways so there wouldn't be much to do on the kc side. _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev