----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 13 January, 2015 4:42:07 PM
Subject: Re: [keycloak-dev] Device registration and verification
On 1/13/2015 10:22 AM, Stan Silvert wrote:
> On 1/13/2015 9:35 AM, Bill Burke wrote:
>>
>> On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
>>>> In a sense that is much more than just seamless authenticate (and
>>>> authorize
>>>> that computer) the user.
>>> I'm curious to see what you're proposing in a real system, but to me
it
>>> sounds like it's similar enough that a remember me and multi factor
auth
>>> mechanism would have the same level of security without complicating
>>> things for the user.
>>>
>> I don't think we need any special device registration and verification
>> for users. Any type of client registration should be done by app devs,
>> not users.
>>
>> For browsers, "remember me" and a persistent cookie is good enough.
For
>> mobile and native apps, a refresh token can be stored. We should
>> probably have per-client overrides for things like access and refresh
>> token timeouts. We'll eventually add Client IP features so that a user
>> doesn't have to use 2-factor auth if they are logging in from the same
>> device from the same IP.
> I can tell you what my bank does. I have the usual login/remember me
> function. But if I want to access something that is more sensitive than
> my basic account balance and such, I need to authorize my device. This
> is done by getting the bank to send me a code via email or text. I then
> enter the code in the site and I'm issued a cookie so that the device
> doesn't have to go through this process again.
>
I would suggest the bank use OTP rather than this device registration
you talk of.
> So this is quite different from "remember me", which only applies to
> authentication. If someone finds out my credentials they still can't
> get high level authorization to my account without physical access to my
> device.
>
This is no different than OTP. Hacker could find a user's password, but
they still need the OTP device to log in.
> IMO, it would be a nice feature to implement in keycloak so that app
> devs don't have to.
IMO, too many ways to do the same thing is not a good idea. App devs
should use OTP.
How you set up OTP is another separate matter. For example, World of
Warcraft has OTP. The OTP generator is set up *PER DEVICE*. So if you
lose your iphone, you have to call up Blizzard support and answer a
bunch of personal questions before they disable OTP. The other option
they have is for you to register your mobile number. So, if you lose
you iphone and get another, you can disable OTP through an SMS exchange
with your new iphone.
There's also multi-level authentication. TOTP can be optional on a new device until
you're trying to do something sensitive. The app can then check the authentication
level provided for the specific token, if it's not high enough, redirect back to login
pages on Keycloak to bump the authentication level (totp, email or whatever).
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev