Hi, I was wondering if we can support device registration and verification during login as follows: 1) Users can enable/disable behavior in admin console for a specific realm. 2) After a successful login, KC checks if the user's device is known. For instance, Browser and Operating System. 3) If not recognized, KC shows a page asking user if he wants to enable the device. 4) KC sends an email to user with a code. 5) When trying to login again, user must provide the code to register the new device and get authenticated. 6) For now on, users can authenticate without asking for permission if using the same device. Any thoughts ? Regards. Pedro Igor _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; Sent: Friday, January 9, 2015 5:02:16 AM Subject: Re: [keycloak-dev] Device registration and verification Requiring email seems unnecessary and awkward to me. The normal flow I've seen (at least on Android) is that you simply login with your username and password on the device. You can then go into your account later and list devices that are registered.

IMO we need to have a bigger discussion on how mobile and devices which includes the AeroGear guys. ----- Original Message ----- > From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > To: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > Sent: Friday, 9 January, 2015 12:09:47 AM > Subject: [keycloak-dev] Device registration and verification > > Hi, > > I was wondering if we can support device registration and verification > during login as follows: > > 1) Users can enable/disable behavior in admin console for a specific > realm. > 2) After a successful login, KC checks if the user's device is > known. > For instance, Browser and Operating System. > 3) If not recognized, KC shows a page asking user if he wants to > enable the device. > 4) KC sends an email to user with a code. > 5) When trying to login again, user must provide the code to > register > the new device and get authenticated. > 6) For now on, users can authenticate without asking for permission > if > using the same device. > > Any thoughts ? > > Regards. > Pedro Igor > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; Sent: Friday, January 9, 2015 11:29:01 AM Subject: Re: [keycloak-dev] Device registration and verification ----- Original Message ----- > From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > Sent: Friday, 9 January, 2015 12:44:20 PM > Subject: Re: [keycloak-dev] Device registration and verification > > ----- Original Message ----- > > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > > To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > > Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > > Sent: Friday, January 9, 2015 5:02:16 AM > > Subject: Re: [keycloak-dev] Device registration and verification > > > > Requiring email seems unnecessary and awkward to me. The normal flow I've > > seen (at least on Android) is that you simply login with your username > > and > > password on the device. You can then go into your account later and list > > devices that are registered. > > I was thinking more about browser-based scenarios. Mobile behaves > differently > but similary. In any case, the idea is secure user account based on the > devices he usually use to access something. If that changes, it might be a > threat. Sure, but what you're actually talking about here is using email as a 2nd factor authentication right?

My plan was that we'd have more ways to do 2nd factor auth (sms, email, google authenticator, yubikey, custom) and have an option on a realm to enable "trusted" devices. If the realm has trusted devices enabled then the user only has to use the 2nd factor authentication say every 30 days or so.

> > > > > IMO we need to have a bigger discussion on how mobile and devices which > > includes the AeroGear guys. > > > > ----- Original Message ----- > > > From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > > > To: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > > > Sent: Friday, 9 January, 2015 12:09:47 AM > > > Subject: [keycloak-dev] Device registration and verification > > > > > > Hi, > > > > > > I was wondering if we can support device registration and > > > verification > > > during login as follows: > > > > > > 1) Users can enable/disable behavior in admin console for a > > > specific > > > realm. > > > 2) After a successful login, KC checks if the user's device is > > > known. > > > For instance, Browser and Operating System. > > > 3) If not recognized, KC shows a page asking user if he wants to > > > enable the device. > > > 4) KC sends an email to user with a code. > > > 5) When trying to login again, user must provide the code to > > > register > > > the new device and get authenticated. > > > 6) For now on, users can authenticate without asking for > > > permission > > > if > > > using the same device. > > > > > > Any thoughts ? > > > > > > Regards. > > > Pedro Igor > > > > > > _______________________________________________ > > > keycloak-dev mailing list > > > keycloak-dev(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > >

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; Sent: Monday, January 12, 2015 5:01:35 AM Subject: Re: [keycloak-dev] Device registration and verification ----- Original Message ----- > From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > Sent: Friday, 9 January, 2015 4:09:51 PM > Subject: Re: [keycloak-dev] Device registration and verification > > ----- Original Message ----- > > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > > To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > > Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > > Sent: Friday, January 9, 2015 11:29:01 AM > > Subject: Re: [keycloak-dev] Device registration and verification > > > > > > > > ----- Original Message ----- > > > From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > > > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > > > Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > > > Sent: Friday, 9 January, 2015 12:44:20 PM > > > Subject: Re: [keycloak-dev] Device registration and verification > > > > > > ----- Original Message ----- > > > > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > > > > To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > > > > Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > > > > Sent: Friday, January 9, 2015 5:02:16 AM > > > > Subject: Re: [keycloak-dev] Device registration and verification > > > > > > > > Requiring email seems unnecessary and awkward to me. The normal flow > > > > I've > > > > seen (at least on Android) is that you simply login with your > > > > username > > > > and > > > > password on the device. You can then go into your account later and > > > > list > > > > devices that are registered. > > > > > > I was thinking more about browser-based scenarios. Mobile behaves > > > differently > > > but similary. In any case, the idea is secure user account based on the > > > devices he usually use to access something. If that changes, it might > > > be > > > a > > > threat. > > > > Sure, but what you're actually talking about here is using email as a 2nd > > factor authentication right? > > No. Email is not a 2nd factor authentication, but the code itself. Email is > just how you send the code and also how you alert the user that someone is > trying to access his account from a not recognized device. In this case, > the > code is just an "activation code" (not an authentication code), we can even > remove the code and just provide a confirmation link, for instance. > > This is not about authenticating users, but authorization. Allowing access > only from devices previously approved by the user. Let's say you usually > access your bank from your home computer. But for some reason, you need > temporary access from a LAN house computer. You probably don't want to > allow > access from LAN house computers later on. > > > > > My plan was that we'd have more ways to do 2nd factor auth (sms, email, > > google authenticator, yubikey, custom) and have an option on a realm to > > enable "trusted" devices. If the realm has trusted devices enabled then > > the > > user only has to use the 2nd factor authentication say every 30 days or > > so. > > What I'm proposing is another security layer, which can be used together > with > 2nd factor authentication. I see no difference, except for implementation details

> > > > > > > > > > > > > > IMO we need to have a bigger discussion on how mobile and devices > > > > which > > > > includes the AeroGear guys. > > > > > > > > ----- Original Message ----- > > > > > From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > > > > > To: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > > > > > Sent: Friday, 9 January, 2015 12:09:47 AM > > > > > Subject: [keycloak-dev] Device registration and verification > > > > > > > > > > Hi, > > > > > > > > > > I was wondering if we can support device registration and > > > > > verification > > > > > during login as follows: > > > > > > > > > > 1) Users can enable/disable behavior in admin console for a > > > > > specific > > > > > realm. > > > > > 2) After a successful login, KC checks if the user's device > > > > > is > > > > > known. > > > > > For instance, Browser and Operating System. > > > > > 3) If not recognized, KC shows a page asking user if he > > > > > wants > > > > > to > > > > > enable the device. > > > > > 4) KC sends an email to user with a code. > > > > > 5) When trying to login again, user must provide the code to > > > > > register > > > > > the new device and get authenticated. > > > > > 6) For now on, users can authenticate without asking for > > > > > permission > > > > > if > > > > > using the same device. > > > > > > > > > > Any thoughts ? > > > > > > > > > > Regards. > > > > > Pedro Igor > > > > > > > > > > _______________________________________________ > > > > > keycloak-dev mailing list > > > > > keycloak-dev(a)lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > > > > > > > > > > >

From: "Bill Burke" <bburke(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Monday, January 12, 2015 1:39:35 PM Subject: Re: [keycloak-dev] Device registration and verification On 1/12/2015 10:06 AM, Pedro Igor Silva wrote: > ----- Original Message ----- >> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >> To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; >> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; >> Sent: Monday, January 12, 2015 5:01:35 AM >> Subject: Re: [keycloak-dev] Device registration and verification >> >> >> >> ----- Original Message ----- >>> From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; >>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; >>> Sent: Friday, 9 January, 2015 4:09:51 PM >>> Subject: Re: [keycloak-dev] Device registration and verification >>> >>> ----- Original Message ----- >>>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>> To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; >>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; >>>> Sent: Friday, January 9, 2015 11:29:01 AM >>>> Subject: Re: [keycloak-dev] Device registration and verification >>>> >>>> >>>> >>>> ----- Original Message ----- >>>>> From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; >>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; >>>>> Sent: Friday, 9 January, 2015 12:44:20 PM >>>>> Subject: Re: [keycloak-dev] Device registration and verification >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>> To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; >>>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; >>>>>> Sent: Friday, January 9, 2015 5:02:16 AM >>>>>> Subject: Re: [keycloak-dev] Device registration and verification >>>>>> >>>>>> Requiring email seems unnecessary and awkward to me. The normal flow >>>>>> I've >>>>>> seen (at least on Android) is that you simply login with your >>>>>> username >>>>>> and >>>>>> password on the device. You can then go into your account later and >>>>>> list >>>>>> devices that are registered. >>>>> >>>>> I was thinking more about browser-based scenarios. Mobile behaves >>>>> differently >>>>> but similary. In any case, the idea is secure user account based on the >>>>> devices he usually use to access something. If that changes, it might >>>>> be >>>>> a >>>>> threat. >>>> >>>> Sure, but what you're actually talking about here is using email as a >>>> 2nd >>>> factor authentication right? >>> >>> No. Email is not a 2nd factor authentication, but the code itself. Email >>> is >>> just how you send the code and also how you alert the user that someone >>> is >>> trying to access his account from a not recognized device. In this case, >>> the >>> code is just an "activation code" (not an authentication code), we can >>> even >>> remove the code and just provide a confirmation link, for instance. >>> >>> This is not about authenticating users, but authorization. Allowing >>> access >>> only from devices previously approved by the user. Let's say you usually >>> access your bank from your home computer. But for some reason, you need >>> temporary access from a LAN house computer. You probably don't want to >>> allow >>> access from LAN house computers later on. >>> >>>> >>>> My plan was that we'd have more ways to do 2nd factor auth (sms, email, >>>> google authenticator, yubikey, custom) and have an option on a realm to >>>> enable "trusted" devices. If the realm has trusted devices enabled then >>>> the >>>> user only has to use the 2nd factor authentication say every 30 days or >>>> so. >>> >>> What I'm proposing is another security layer, which can be used together >>> with >>> 2nd factor authentication. >> >> I see no difference, except for implementation details > > There is a difference. Usually you see this feature in bank sites. Or even > in SalesForce if you try it out. It helps providers to increase security > by allowing access only from devices authorized by the user. You can even > not use 2nd factor authentication at all. > How is this different than a "remember me" button?

Bill -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-dev(a)lists.jboss.org > Sent: Monday, January 12, 2015 1:39:35 PM > Subject: Re: [keycloak-dev] Device registration and verification > > > > On 1/12/2015 10:06 AM, Pedro Igor Silva wrote: >> ----- Original Message ----- >>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; >>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; >>> Sent: Monday, January 12, 2015 5:01:35 AM >>> Subject: Re: [keycloak-dev] Device registration and verification >>> >>> >>> >>> ----- Original Message ----- >>>> From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; >>>> Sent: Friday, 9 January, 2015 4:09:51 PM >>>> Subject: Re: [keycloak-dev] Device registration and verification >>>> >>>> ----- Original Message ----- >>>>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>> To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; >>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; >>>>> Sent: Friday, January 9, 2015 11:29:01 AM >>>>> Subject: Re: [keycloak-dev] Device registration and verification >>>>> >>>>> >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; >>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; >>>>>> Sent: Friday, 9 January, 2015 12:44:20 PM >>>>>> Subject: Re: [keycloak-dev] Device registration and verification >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>> To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; >>>>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; >>>>>>> Sent: Friday, January 9, 2015 5:02:16 AM >>>>>>> Subject: Re: [keycloak-dev] Device registration and verification >>>>>>> >>>>>>> Requiring email seems unnecessary and awkward to me. The normal flow >>>>>>> I've >>>>>>> seen (at least on Android) is that you simply login with your >>>>>>> username >>>>>>> and >>>>>>> password on the device. You can then go into your account later and >>>>>>> list >>>>>>> devices that are registered. >>>>>> >>>>>> I was thinking more about browser-based scenarios. Mobile behaves >>>>>> differently >>>>>> but similary. In any case, the idea is secure user account based on the >>>>>> devices he usually use to access something. If that changes, it might >>>>>> be >>>>>> a >>>>>> threat. >>>>> >>>>> Sure, but what you're actually talking about here is using email as a >>>>> 2nd >>>>> factor authentication right? >>>> >>>> No. Email is not a 2nd factor authentication, but the code itself. Email >>>> is >>>> just how you send the code and also how you alert the user that someone >>>> is >>>> trying to access his account from a not recognized device. In this case, >>>> the >>>> code is just an "activation code" (not an authentication code), we can >>>> even >>>> remove the code and just provide a confirmation link, for instance. >>>> >>>> This is not about authenticating users, but authorization. Allowing >>>> access >>>> only from devices previously approved by the user. Let's say you usually >>>> access your bank from your home computer. But for some reason, you need >>>> temporary access from a LAN house computer. You probably don't want to >>>> allow >>>> access from LAN house computers later on. >>>> >>>>> >>>>> My plan was that we'd have more ways to do 2nd factor auth (sms, email, >>>>> google authenticator, yubikey, custom) and have an option on a realm to >>>>> enable "trusted" devices. If the realm has trusted devices enabled then >>>>> the >>>>> user only has to use the 2nd factor authentication say every 30 days or >>>>> so. >>>> >>>> What I'm proposing is another security layer, which can be used together >>>> with >>>> 2nd factor authentication. >>> >>> I see no difference, except for implementation details >> >> There is a difference. Usually you see this feature in bank sites. Or even >> in SalesForce if you try it out. It helps providers to increase security >> by allowing access only from devices authorized by the user. You can even >> not use 2nd factor authentication at all. >> > > How is this different than a "remember me" button? "Remember me" will allow you to get authenticated. But if you provided only temporary access from that device, you will not be able to proceed even with "remember me" checked. However, if that device was approved for you and marked as "trusted" you will be fine. This is not about authentication, but authorization ....

From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Monday, 12 January, 2015 7:00:10 PM Subject: Re: [keycloak-dev] Device registration and verification ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Monday, January 12, 2015 3:32:49 PM > Subject: Re: [keycloak-dev] Device registration and verification > > > > On 1/12/2015 10:56 AM, Pedro Igor Silva wrote: > > ----- Original Message ----- > >> From: "Bill Burke" <bburke(a)redhat.com&gt; > >> To: keycloak-dev(a)lists.jboss.org > >> Sent: Monday, January 12, 2015 1:39:35 PM > >> Subject: Re: [keycloak-dev] Device registration and verification > >> > >> > >> > >> On 1/12/2015 10:06 AM, Pedro Igor Silva wrote: > >>> ----- Original Message ----- > >>>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; > >>>> To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > >>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > >>>> Sent: Monday, January 12, 2015 5:01:35 AM > >>>> Subject: Re: [keycloak-dev] Device registration and verification > >>>> > >>>> > >>>> > >>>> ----- Original Message ----- > >>>>> From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > >>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; > >>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > >>>>> Sent: Friday, 9 January, 2015 4:09:51 PM > >>>>> Subject: Re: [keycloak-dev] Device registration and verification > >>>>> > >>>>> ----- Original Message ----- > >>>>>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; > >>>>>> To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > >>>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > >>>>>> Sent: Friday, January 9, 2015 11:29:01 AM > >>>>>> Subject: Re: [keycloak-dev] Device registration and verification > >>>>>> > >>>>>> > >>>>>> > >>>>>> ----- Original Message ----- > >>>>>>> From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > >>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; > >>>>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > >>>>>>> Sent: Friday, 9 January, 2015 12:44:20 PM > >>>>>>> Subject: Re: [keycloak-dev] Device registration and verification > >>>>>>> > >>>>>>> ----- Original Message ----- > >>>>>>>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; > >>>>>>>> To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > >>>>>>>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > >>>>>>>> Sent: Friday, January 9, 2015 5:02:16 AM > >>>>>>>> Subject: Re: [keycloak-dev] Device registration and verification > >>>>>>>> > >>>>>>>> Requiring email seems unnecessary and awkward to me. The normal > >>>>>>>> flow > >>>>>>>> I've > >>>>>>>> seen (at least on Android) is that you simply login with your > >>>>>>>> username > >>>>>>>> and > >>>>>>>> password on the device. You can then go into your account later > >>>>>>>> and > >>>>>>>> list > >>>>>>>> devices that are registered. > >>>>>>> > >>>>>>> I was thinking more about browser-based scenarios. Mobile behaves > >>>>>>> differently > >>>>>>> but similary. In any case, the idea is secure user account based on > >>>>>>> the > >>>>>>> devices he usually use to access something. If that changes, it > >>>>>>> might > >>>>>>> be > >>>>>>> a > >>>>>>> threat. > >>>>>> > >>>>>> Sure, but what you're actually talking about here is using email as > >>>>>> a > >>>>>> 2nd > >>>>>> factor authentication right? > >>>>> > >>>>> No. Email is not a 2nd factor authentication, but the code itself. > >>>>> Email > >>>>> is > >>>>> just how you send the code and also how you alert the user that > >>>>> someone > >>>>> is > >>>>> trying to access his account from a not recognized device. In this > >>>>> case, > >>>>> the > >>>>> code is just an "activation code" (not an authentication code), we > >>>>> can > >>>>> even > >>>>> remove the code and just provide a confirmation link, for instance. > >>>>> > >>>>> This is not about authenticating users, but authorization. Allowing > >>>>> access > >>>>> only from devices previously approved by the user. Let's say you > >>>>> usually > >>>>> access your bank from your home computer. But for some reason, you > >>>>> need > >>>>> temporary access from a LAN house computer. You probably don't want > >>>>> to > >>>>> allow > >>>>> access from LAN house computers later on. > >>>>> > >>>>>> > >>>>>> My plan was that we'd have more ways to do 2nd factor auth (sms, > >>>>>> email, > >>>>>> google authenticator, yubikey, custom) and have an option on a realm > >>>>>> to > >>>>>> enable "trusted" devices. If the realm has trusted devices enabled > >>>>>> then > >>>>>> the > >>>>>> user only has to use the 2nd factor authentication say every 30 days > >>>>>> or > >>>>>> so. > >>>>> > >>>>> What I'm proposing is another security layer, which can be used > >>>>> together > >>>>> with > >>>>> 2nd factor authentication. > >>>> > >>>> I see no difference, except for implementation details > >>> > >>> There is a difference. Usually you see this feature in bank sites. Or > >>> even > >>> in SalesForce if you try it out. It helps providers to increase > >>> security > >>> by allowing access only from devices authorized by the user. You can > >>> even > >>> not use 2nd factor authentication at all. > >>> > >> > >> How is this different than a "remember me" button? > > > > "Remember me" will allow you to get authenticated. But if you provided > > only > > temporary access from that device, you will not be able to proceed even > > with "remember me" checked. However, if that device was approved for you > > and marked as "trusted" you will be fine. > > > > This is not about authentication, but authorization .... > > > > Remember me is the same thing as authorizing your browser/machine. Yes. But you don't track the devices (or pcs), when was your last login from a device, define how long you want to "remember" that device or if you just want a single access from that computer, receive notifications from access from unauthorized devices and so forth. In a sense that is much more than just seamless authenticate (and authorize that computer) the user.

> > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt;, "Pedro Igor Silva" <psilva(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 13 January, 2015 3:35:18 PM Subject: Re: [keycloak-dev] Device registration and verification On 1/12/2015 1:10 PM, Stian Thorgersen wrote: >> In a sense that is much more than just seamless authenticate (and >> authorize >> that computer) the user. > > I'm curious to see what you're proposing in a real system, but to me it > sounds like it's similar enough that a remember me and multi factor auth > mechanism would have the same level of security without complicating > things for the user. > I don't think we need any special device registration and verification for users. Any type of client registration should be done by app devs, not users. For browsers, "remember me" and a persistent cookie is good enough. For mobile and native apps, a refresh token can be stored. We should probably have per-client overrides for things like access and refresh token timeouts. We'll eventually add Client IP features so that a user doesn't have to use 2-factor auth if they are logging in from the same device from the same IP.

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt;, "Pedro Igor Silva" <psilva(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Tuesday, January 13, 2015 12:35:18 PM > Subject: Re: [keycloak-dev] Device registration and verification > > > > On 1/12/2015 1:10 PM, Stian Thorgersen wrote: >>> In a sense that is much more than just seamless authenticate (and >>> authorize >>> that computer) the user. >> >> I'm curious to see what you're proposing in a real system, but to me it >> sounds like it's similar enough that a remember me and multi factor auth >> mechanism would have the same level of security without complicating >> things for the user. >> > > I don't think we need any special device registration and verification > for users. Any type of client registration should be done by app devs, > not users. > > For browsers, "remember me" and a persistent cookie is good enough. For > mobile and native apps, a refresh token can be stored. We should > probably have per-client overrides for things like access and refresh > token timeouts. We'll eventually add Client IP features so that a user > doesn't have to use 2-factor auth if they are logging in from the same > device from the same IP. My proposal is all based on browsers, people using their desktops. So you can have an alias for a computer and use a cookie + IP (or even track information from the user-agent) to support the features I suggested before. If IP changed or user is using a unrecognized user-agent you notify the user. Sometimes this sucks, because your IP may change often depending on your network, but I think it is a nice feature to have.

On 1/12/2015 1:10 PM, Stian Thorgersen wrote: >> In a sense that is much more than just seamless authenticate (and authorize >> that computer) the user. > I'm curious to see what you're proposing in a real system, but to me it sounds like it's similar enough that a remember me and multi factor auth mechanism would have the same level of security without complicating things for the user. > I don't think we need any special device registration and verification for users. Any type of client registration should be done by app devs, not users. For browsers, "remember me" and a persistent cookie is good enough. For mobile and native apps, a refresh token can be stored. We should probably have per-client overrides for things like access and refresh token timeouts. We'll eventually add Client IP features so that a user doesn't have to use 2-factor auth if they are logging in from the same device from the same IP.

From: "Bill Burke" <bburke(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 13 January, 2015 4:42:07 PM Subject: Re: [keycloak-dev] Device registration and verification On 1/13/2015 10:22 AM, Stan Silvert wrote: > On 1/13/2015 9:35 AM, Bill Burke wrote: >> >> On 1/12/2015 1:10 PM, Stian Thorgersen wrote: >>>> In a sense that is much more than just seamless authenticate (and >>>> authorize >>>> that computer) the user. >>> I'm curious to see what you're proposing in a real system, but to me it >>> sounds like it's similar enough that a remember me and multi factor auth >>> mechanism would have the same level of security without complicating >>> things for the user. >>> >> I don't think we need any special device registration and verification >> for users. Any type of client registration should be done by app devs, >> not users. >> >> For browsers, "remember me" and a persistent cookie is good enough. For >> mobile and native apps, a refresh token can be stored. We should >> probably have per-client overrides for things like access and refresh >> token timeouts. We'll eventually add Client IP features so that a user >> doesn't have to use 2-factor auth if they are logging in from the same >> device from the same IP. > I can tell you what my bank does. I have the usual login/remember me > function. But if I want to access something that is more sensitive than > my basic account balance and such, I need to authorize my device. This > is done by getting the bank to send me a code via email or text. I then > enter the code in the site and I'm issued a cookie so that the device > doesn't have to go through this process again. > I would suggest the bank use OTP rather than this device registration you talk of. > So this is quite different from "remember me", which only applies to > authentication. If someone finds out my credentials they still can't > get high level authorization to my account without physical access to my > device. > This is no different than OTP. Hacker could find a user's password, but they still need the OTP device to log in. > IMO, it would be a nice feature to implement in keycloak so that app > devs don't have to. IMO, too many ways to do the same thing is not a good idea. App devs should use OTP. How you set up OTP is another separate matter. For example, World of Warcraft has OTP. The OTP generator is set up *PER DEVICE*. So if you lose your iphone, you have to call up Blizzard support and answer a bunch of personal questions before they disable OTP. The other option they have is for you to register your mobile number. So, if you lose you iphone and get another, you can disable OTP through an SMS exchange with your new iphone.

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev