Hello group,
I just add a look at a nice feature from Forge Rock AM called:
"Adaptive risk login".
From the book "Open Source Identity Management Patterns using OpenAM 10.x":
"Adaptive Risk authentication allows OpenAM to determine the risk of a particular
authentication, and decide whether additional authentication steps are required due
to the risk."
"The Adaptive Risk module has a risk threshold that is set manually, and by default
is set to 1 . There are a variety of different authentication risks which are each
given a score. If the value of the score meets or exceeds the risk threshold, then the
authentication fails."
- Risk Threshold exceeded - if inherent risk for a particular (client login) exceeds theshold
- Failed Authentications - if user had failed authentications recently raise risk
- IP Address Range - ip IP not in IP range raise risk
- IP Address History - if IP not in IP address history raise risk
- Known cookie - if a certain cookie + value not present raise risk
- Device cookie - if not a known or trusted device raise risk
- Time since last login - if last login > x days raise risk
- Profile attribute - if a profile (user) attribute is set raise risk
- RequestHeader - if certain request header is not present raise risk
These checks can be combined / inverted which provides one with a flexible system to specify rules.
I think a functionality like that would be great addition to Keycloak. Some of this
functionality is already partially possible with Keycloak but only for some authenticators.
Would be great to have more general support in that regard.
Cheers,
Thomas