----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>, "Pedro Igor Silva"
<psilva(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, January 13, 2015 12:35:18 PM
Subject: Re: [keycloak-dev] Device registration and verification
On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
>> In a sense that is much more than just seamless authenticate (and
>> authorize
>> that computer) the user.
>
> I'm curious to see what you're proposing in a real system, but to me it
> sounds like it's similar enough that a remember me and multi factor auth
> mechanism would have the same level of security without complicating
> things for the user.
>
I don't think we need any special device registration and verification
for users. Any type of client registration should be done by app devs,
not users.
For browsers, "remember me" and a persistent cookie is good enough. For
mobile and native apps, a refresh token can be stored. We should
probably have per-client overrides for things like access and refresh
token timeouts. We'll eventually add Client IP features so that a user
doesn't have to use 2-factor auth if they are logging in from the same
device from the same IP.
My proposal is all based on browsers, people using their desktops. So you can have an
alias for a computer and use a cookie + IP (or even track information from the user-agent)
to support the features I suggested before. If IP changed or user is using a unrecognized
user-agent you notify the user. Sometimes this sucks, because your IP may change often
depending on your network, but I think it is a nice feature to have.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com