Re: [security-dev] managing OTP
On 8/12/2013 6:19 AM, Pedro Igor Silva wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: security-dev(a)lists.jboss.org
> Sent: Sunday, August 11, 2013 8:58:27 AM
> Subject: [security-dev] managing OTP
>
> There's a few issues with managing credentials. The first is, there is
> no way to remove a credential. This is essential to TOTP as you may end
> up with a lost or obsolete device.
>
> https://issues.jboss.org/browse/PLINK-236
>
I missed that too and have discussed that with Shane a long time ago. The idea is to have
a history of all account's credentials.
The reason for this is?
If a devices becomes obsolete, you just set expiration date.
Its not just TOTP, same with password. Every time a user has a lost
password two new obsolete ones are added to the database: temporary
one, then a password change. Maybe not such a big deal with a few
users, but when you get to tens, hundreds of thousands of users, won't
this kind of be a problem?
> THe 2nd is that for TOTP, you will want to check every device on
a
> credential validation rather than just one:
>
> https://issues.jboss.org/browse/PLINK-237
>
> Our own VPN allows me to set up multiple tokens. I have one on my
> iphone and ipad just in case I lose one or the other. OUr VPN allows me
> to use either to login in.
>
Is not a valid option you iterate over user's devices and try each one ?
Sure, this is why this is an enhancement.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com