Re: [keycloak-dev] Device registration and verification

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt;, "Pedro Igor Silva" <psilva(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 13 January, 2015 3:35:18 PM Subject: Re: [keycloak-dev] Device registration and verification On 1/12/2015 1:10 PM, Stian Thorgersen wrote: >> In a sense that is much more than just seamless authenticate (and >> authorize >> that computer) the user. > > I'm curious to see what you're proposing in a real system, but to me it > sounds like it's similar enough that a remember me and multi factor auth > mechanism would have the same level of security without complicating > things for the user. > I don't think we need any special device registration and verification for users. Any type of client registration should be done by app devs, not users. For browsers, "remember me" and a persistent cookie is good enough. For mobile and native apps, a refresh token can be stored. We should probably have per-client overrides for things like access and refresh token timeouts. We'll eventually add Client IP features so that a user doesn't have to use 2-factor auth if they are logging in from the same device from the same IP.

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com