----- Original Message -----
From: "Pedro Igor Silva" <psilva(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, 9 January, 2015 12:44:20 PM
Subject: Re: [keycloak-dev] Device registration and verification
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "Pedro Igor Silva" <psilva(a)redhat.com>
> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> Sent: Friday, January 9, 2015 5:02:16 AM
> Subject: Re: [keycloak-dev] Device registration and verification
>
> Requiring email seems unnecessary and awkward to me. The normal flow I've
> seen (at least on Android) is that you simply login with your username and
> password on the device. You can then go into your account later and list
> devices that are registered.
I was thinking more about browser-based scenarios. Mobile behaves differently
but similary. In any case, the idea is secure user account based on the
devices he usually use to access something. If that changes, it might be a
threat.
Sure, but what you're actually talking about here is using email as a 2nd factor
authentication right?
My plan was that we'd have more ways to do 2nd factor auth (sms, email, google
authenticator, yubikey, custom) and have an option on a realm to enable
"trusted" devices. If the realm has trusted devices enabled then the user only
has to use the 2nd factor authentication say every 30 days or so.
>
> IMO we need to have a bigger discussion on how mobile and devices which
> includes the AeroGear guys.
>
> ----- Original Message -----
> > From: "Pedro Igor Silva" <psilva(a)redhat.com>
> > To: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> > Sent: Friday, 9 January, 2015 12:09:47 AM
> > Subject: [keycloak-dev] Device registration and verification
> >
> > Hi,
> >
> > I was wondering if we can support device registration and verification
> > during login as follows:
> >
> > 1) Users can enable/disable behavior in admin console for a
> > specific
> > realm.
> > 2) After a successful login, KC checks if the user's device is
> > known.
> > For instance, Browser and Operating System.
> > 3) If not recognized, KC shows a page asking user if he wants to
> > enable the device.
> > 4) KC sends an email to user with a code.
> > 5) When trying to login again, user must provide the code to
> > register
> > the new device and get authenticated.
> > 6) For now on, users can authenticate without asking for
> > permission
> > if
> > using the same device.
> >
> > Any thoughts ?
> >
> > Regards.
> > Pedro Igor
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>