Doesn't seem adapter authentication is dead:
https://www.google.no/?ion=1&espv=2#q=adaptive+authentication&tbm=nws

VPNs are certainly not the solution in all cases as more and more applications are exposed directly on the Internet everyday. Two factor is certainly improving security ten folds, but there's also issues with those. A token can be lost or compromised. There's needs for password recovery.

End of the day the more layers of security you have the less likely you'll get compromised. VPNs + two factor + adaptive authentication might just combined be enough to give you the level you need.

We do have adaptive authentication on the radar for Keycloak. There's a fairly good chance it's something we'll look into for 3.x (2017). As such I'd love to hear more what others think about it.

On 28 August 2016 at 14:32, Marc Boorshtein <marc.boorshtein@tremolosecurity.com> wrote:

On Aug 28, 2016 7:56 AM, "Thomas Darimont" <thomas.darimont@googlemail.com> wrote:
>
> Hello group, 
>
> I just add a look at a nice feature from Forge Rock AM called:
> "Adaptive risk login".

Adaptive risk was really popular around 2010 as a multi-factor without a token. Mainly banks didnt want to hand out rsa secureid tokens. They used a bunch of factors like your flash version, source IP, etc. It turned out to be more trouble then it's worth. Between the ease of creating soft tokens like totp and the popularity of VPNs the adaptive risk approach proved to be mostly pointless. The amount of statistical data needed to make these decisions useful, and the amount of skill needed to configure was outweighed by simpler multi factor implementations.

Oracles adaptive access manager, the most notable enterprise adaptive access manager, was merged into Oracle access manager mainly for the couple of alternative login methods but the adaptive part has disappeared. My guess is this was a "me too"/checkbox feature. I've done several forgerock implementations and this comes up as a theoretical discussion but never goes beyond that.

I've seen a few machine learning based approaches to authentication but they go well beyond tracking a risk score, more behavior tracking stuff.  The couple I've seen end up integrating via saml or oidc anyways so there wouldn't be much to do on the kc side.


_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev