On 3/20/2014 6:47 AM, Adrian Mitev wrote: > Hi guys! I'm very interested in Keycloak and would like to share with > you some ideas that come from user requirements I currently have or had > in the past that you may find useful to add in Keycloak. > * Automatically revoke access to user account after a (configurable) > number of invalid sign-on passwords until the system administrator has > unlocked the account or automatically after an administrator-defined > interval - I know that with such feature an attacker could lock user > accounts by simply knowing usernames/emails. However I have a case of an > Intranet application that is accessible only inside the company and > could trace such attackers by their ip addresses. Working on Brute force detection now. First iteration will increasingly add a "not before" time on successive login failures. Second iteration will include IP address options. > * Record and report (i.e. email sending) on failed login attempts outlining > * Force password changes at regular (configurable) intervals or > * Automatically reset the password and send a new one to the user via email > * Can ensure that the new password has not been used before in a number > (configurable) of password changes > * Login using digital signature in a smart card or p12 file This something different than OTP?

> * Security questions for password recovery > > Other that I found as issues in other Identity Providers > * Support many accounts (~10K) within a reasonable amount of time > * When providing an authentication client (maven dependency) add only > the needed set of dependencies. I know this sounds silly but I have > experience with a client library provided by the Identity Provider that > had a compile dependency to apache ant... > So far our adapters are installed once onto the app server. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

From: "Adrian Mitev" <adrian.mitev(a)gmail.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Friday, 28 March, 2014 10:58:08 AM Subject: Re: [keycloak-dev] Features whishlist Should I add these in JIRA as feature requests? On Thu, Mar 20, 2014 at 3:47 PM, Adrian Mitev < adrian.mitev(a)gmail.com > wrote: On Thu, Mar 20, 2014 at 3:22 PM, Bill Burke < bburke(a)redhat.com > wrote: On 3/20/2014 6:47 AM, Adrian Mitev wrote: > Hi guys! I'm very interested in Keycloak and would like to share with > you some ideas that come from user requirements I currently have or had > in the past that you may find useful to add in Keycloak. > * Automatically revoke access to user account after a (configurable) > number of invalid sign-on passwords until the system administrator has > unlocked the account or automatically after an administrator-defined > interval - I know that with such feature an attacker could lock user > accounts by simply knowing usernames/emails. However I have a case of an > Intranet application that is accessible only inside the company and > could trace such attackers by their ip addresses. Working on Brute force detection now. First iteration will increasingly add a "not before" time on successive login failures. Second iteration will include IP address options. > * Record and report (i.e. email sending) on failed login attempts outlining > * Force password changes at regular (configurable) intervals or > * Automatically reset the password and send a new one to the user via email > * Can ensure that the new password has not been used before in a number > (configurable) of password changes > * Login using digital signature in a smart card or p12 file This something different than OTP? A customer company has a policy that a password for user account should be changed every week. This counts for special type of users that access more sensitive information. > * Security questions for password recovery > > Other that I found as issues in other Identity Providers > * Support many accounts (~10K) within a reasonable amount of time > * When providing an authentication client (maven dependency) add only > the needed set of dependencies. I know this sounds silly but I have > experience with a client library provided by the Identity Provider that > had a compile dependency to apache ant... > So far our adapters are installed once onto the app server. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev