9:11 a.m.
I was thinking about recaptcha support. The purpose of recaptcha is to
make sure a bot is not trying to log into system. Really good for
something like registration, but also very useful for regular logins for
extra security. Recaptcha would elleviate the need for Brute Force
Protector.
This thing is though, if you still have direct grant, then putting in
recaptcha at login is pointless as an attacker can just go through
direct grant.
Can we bring back the ability to disable direct grant?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:43 p.m.
recaptcha are not seen as secure, they just make it slightly harder. Brute-force
protection and intrusion detection are still needed. IMO recaptcha's are a false sense
of security and the only thing they do are bug the shit out of users.
Direct grant should definitively be enabled by default, but I don't have any
objections to having an option to disable it.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, 15 June, 2015 4:11:36 PM
Subject: [keycloak-dev] bring back ability to disable direct grant
I was thinking about recaptcha support. The purpose of recaptcha is to
make sure a bot is not trying to log into system. Really good for
something like registration, but also very useful for regular logins for
extra security. Recaptcha would elleviate the need for Brute Force
Protector.
This thing is though, if you still have direct grant, then putting in
recaptcha at login is pointless as an attacker can just go through
direct grant.
Can we bring back the ability to disable direct grant?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3483
days inactive
3483
days old
1 comments
2 participants
participants (2)
-
Bill Burke -
Stian Thorgersen