----- Original Message -----
From: "Pedro Igor Silva" <psilva(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 12 January, 2015 7:00:10 PM
Subject: Re: [keycloak-dev] Device registration and verification
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Pedro Igor Silva" <psilva(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Monday, January 12, 2015 3:32:49 PM
> Subject: Re: [keycloak-dev] Device registration and verification
>
>
>
> On 1/12/2015 10:56 AM, Pedro Igor Silva wrote:
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke(a)redhat.com>
> >> To: keycloak-dev(a)lists.jboss.org
> >> Sent: Monday, January 12, 2015 1:39:35 PM
> >> Subject: Re: [keycloak-dev] Device registration and verification
> >>
> >>
> >>
> >> On 1/12/2015 10:06 AM, Pedro Igor Silva wrote:
> >>> ----- Original Message -----
> >>>> From: "Stian Thorgersen" <stian(a)redhat.com>
> >>>> To: "Pedro Igor Silva" <psilva(a)redhat.com>
> >>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> >>>> Sent: Monday, January 12, 2015 5:01:35 AM
> >>>> Subject: Re: [keycloak-dev] Device registration and verification
> >>>>
> >>>>
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Pedro Igor Silva" <psilva(a)redhat.com>
> >>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
> >>>>> Cc: "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
> >>>>> Sent: Friday, 9 January, 2015 4:09:51 PM
> >>>>> Subject: Re: [keycloak-dev] Device registration and
verification
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Stian Thorgersen"
<stian(a)redhat.com>
> >>>>>> To: "Pedro Igor Silva" <psilva(a)redhat.com>
> >>>>>> Cc: "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
> >>>>>> Sent: Friday, January 9, 2015 11:29:01 AM
> >>>>>> Subject: Re: [keycloak-dev] Device registration and
verification
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>> From: "Pedro Igor Silva"
<psilva(a)redhat.com>
> >>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
> >>>>>>> Cc: "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
> >>>>>>> Sent: Friday, 9 January, 2015 12:44:20 PM
> >>>>>>> Subject: Re: [keycloak-dev] Device registration and
verification
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Stian Thorgersen"
<stian(a)redhat.com>
> >>>>>>>> To: "Pedro Igor Silva"
<psilva(a)redhat.com>
> >>>>>>>> Cc: "keycloak dev"
<keycloak-dev(a)lists.jboss.org>
> >>>>>>>> Sent: Friday, January 9, 2015 5:02:16 AM
> >>>>>>>> Subject: Re: [keycloak-dev] Device registration and
verification
> >>>>>>>>
> >>>>>>>> Requiring email seems unnecessary and awkward to
me. The normal
> >>>>>>>> flow
> >>>>>>>> I've
> >>>>>>>> seen (at least on Android) is that you simply login
with your
> >>>>>>>> username
> >>>>>>>> and
> >>>>>>>> password on the device. You can then go into your
account later
> >>>>>>>> and
> >>>>>>>> list
> >>>>>>>> devices that are registered.
> >>>>>>>
> >>>>>>> I was thinking more about browser-based scenarios.
Mobile behaves
> >>>>>>> differently
> >>>>>>> but similary. In any case, the idea is secure user
account based on
> >>>>>>> the
> >>>>>>> devices he usually use to access something. If that
changes, it
> >>>>>>> might
> >>>>>>> be
> >>>>>>> a
> >>>>>>> threat.
> >>>>>>
> >>>>>> Sure, but what you're actually talking about here is
using email as
> >>>>>> a
> >>>>>> 2nd
> >>>>>> factor authentication right?
> >>>>>
> >>>>> No. Email is not a 2nd factor authentication, but the code
itself.
> >>>>> Email
> >>>>> is
> >>>>> just how you send the code and also how you alert the user
that
> >>>>> someone
> >>>>> is
> >>>>> trying to access his account from a not recognized device. In
this
> >>>>> case,
> >>>>> the
> >>>>> code is just an "activation code" (not an
authentication code), we
> >>>>> can
> >>>>> even
> >>>>> remove the code and just provide a confirmation link, for
instance.
> >>>>>
> >>>>> This is not about authenticating users, but authorization.
Allowing
> >>>>> access
> >>>>> only from devices previously approved by the user. Let's
say you
> >>>>> usually
> >>>>> access your bank from your home computer. But for some reason,
you
> >>>>> need
> >>>>> temporary access from a LAN house computer. You probably
don't want
> >>>>> to
> >>>>> allow
> >>>>> access from LAN house computers later on.
> >>>>>
> >>>>>>
> >>>>>> My plan was that we'd have more ways to do 2nd factor
auth (sms,
> >>>>>> email,
> >>>>>> google authenticator, yubikey, custom) and have an option
on a realm
> >>>>>> to
> >>>>>> enable "trusted" devices. If the realm has
trusted devices enabled
> >>>>>> then
> >>>>>> the
> >>>>>> user only has to use the 2nd factor authentication say
every 30 days
> >>>>>> or
> >>>>>> so.
> >>>>>
> >>>>> What I'm proposing is another security layer, which can be
used
> >>>>> together
> >>>>> with
> >>>>> 2nd factor authentication.
> >>>>
> >>>> I see no difference, except for implementation details
> >>>
> >>> There is a difference. Usually you see this feature in bank sites. Or
> >>> even
> >>> in SalesForce if you try it out. It helps providers to increase
> >>> security
> >>> by allowing access only from devices authorized by the user. You can
> >>> even
> >>> not use 2nd factor authentication at all.
> >>>
> >>
> >> How is this different than a "remember me" button?
> >
> > "Remember me" will allow you to get authenticated. But if you
provided
> > only
> > temporary access from that device, you will not be able to proceed even
> > with "remember me" checked. However, if that device was approved for
you
> > and marked as "trusted" you will be fine.
> >
> > This is not about authentication, but authorization ....
> >
>
> Remember me is the same thing as authorizing your browser/machine.
Yes. But you don't track the devices (or pcs), when was your last login from
a device, define how long you want to "remember" that device or if you just
want a single access from that computer,
receive notifications from access from unauthorized devices and so forth.
In a sense that is much more than just seamless authenticate (and authorize
that computer) the user.
I'm curious to see what you're proposing in a real system, but to me it sounds
like it's similar enough that a remember me and multi factor auth mechanism would have
the same level of security without complicating things for the user.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev