----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 13 August, 2013 1:12:52 PM
Subject: Re: [keycloak-dev] credential management
On 8/13/2013 7:36 AM, Stian Thorgersen wrote:
> I like the idea of never allowing admins to see passwords. Temporary
> passwords are not very nice. It would require to have always have a
> verified means to communicate with the user though (email, SMS, others?).
>
How can you implement forgot credentials then without a verified means
to communicate with the user? (email, sms, *AND* voice).
I think it's an acceptable requirement that users provide some verified means of
communicating with them. In the event that a user has lost access to whatever that was
(for example they've changed ISPs and lost their ISP provided email). In that event
the user would have to call or contact supports to have them change the associated contact
mechanism (which would require them to answer some horrible security questions).
I wonder how admins feel about the "Security Questions" (i.e. mother's
maiden name) Then there would be no need to send an email.
I think recovering an account without access to whatever verified contact details they
provided when creating the account should only be possible by manually contacting support.
For example there's not many colours in the world so brute-forcing that would be
incredibly simple
> We should also have an option on the realm that self-registered users are
> required to confirm their email address (send email with verification
> link).
>
Lol, this will be one long-ass oauth redirection protocol and client_id,
state, redirect_uri etc... parameters are gonna be passed around over
and over....
Yes, it could be tricky with oauth, but it is a common requirement that users verify their
email address when registering so it needs to be supported somehow
> Thinking about security issues, at the moment the login form shows a error
> message that says username is invalid. This allows attackers to confirm
> the existence of user accounts which is not good. It should simple state
> "invalid username/password".
>
K, logged a JIRA:
https://issues.jboss.org/browse/KEYCLOAK-31
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 12 August, 2013 10:12:31 PM
>> Subject: [keycloak-dev] credential management
>>
>> Registration
>> * new password and password confirmation
>> * TOTP secret and QR generation and confirmation.
>>
>> Forgot password
>> * Email sent to user with URL enclosed
>> * If required by realm, ask one or more random questions i.e.:
>> - What is your mother's maiden name?
>> - What is the last 4 digits of your social security number?
>> - What is the name of your first pet?
>> - When did you lose your virginity?
>> - What is your birthday?
>> * User enters new password and confirmation
>>
>> Change Password:
>> * Old Password
>> * New Password
>> * Confirm new Password
>>
>> Lost Authenticator
>> * Admin must create a temporary token and speak it to user
>> * User can log in with this temporary token and head to their account
>> management page. TOken expires after a certain amount of time.
>> or
>> * Ask one or more random questions as in Forgot password
>>
>> Admin user creation:
>> * Email with a link is sent to user. Link prompts user for credential
>> set up.
>> * Or. Generate a temporary password that must reset by user on next
>> login. Temporary password is spoken to user or given to them by some
>> other means.
>>
>>
>> When a user logs in keycloak must check to see if
>> * A temporary password was created and the user must enter a new one
>> * Registration is incomplete and new credentials must be set up, i.e. an
>> authenticator.
>>
>> Are there any security holes here? ONe idea I have is that the admin
>> would never ever see a credential. For user creation, a temporary
>> password is emailed to the user and never seen by the admin or the user
>> would have to register.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com