On 1/13/2015 9:35 AM, Bill Burke wrote:
On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
>> In a sense that is much more than just seamless authenticate (and authorize
>> that computer) the user.
> I'm curious to see what you're proposing in a real system, but to me it
sounds like it's similar enough that a remember me and multi factor auth mechanism
would have the same level of security without complicating things for the user.
>
I don't think we need any special device registration and verification
for users. Any type of client registration should be done by app devs,
not users.
For browsers, "remember me" and a persistent cookie is good enough. For
mobile and native apps, a refresh token can be stored. We should
probably have per-client overrides for things like access and refresh
token timeouts. We'll eventually add Client IP features so that a user
doesn't have to use 2-factor auth if they are logging in from the same
device from the same IP.
I can tell you what my bank does. I have the usual
login/remember me
function. But if I want to access something that is more sensitive than
my basic account balance and such, I need to authorize my device. This
is done by getting the bank to send me a code via email or text. I then
enter the code in the site and I'm issued a cookie so that the device
doesn't have to go through this process again.
So this is quite different from "remember me", which only applies to
authentication. If someone finds out my credentials they still can't
get high level authorization to my account without physical access to my
device.
IMO, it would be a nice feature to implement in keycloak so that app
devs don't have to.