Re: [security-dev] managing OTP
----- Original Message -----
From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com>
To: security-dev(a)lists.jboss.org
Sent: Monday, August 12, 2013 10:23:07 AM
Subject: Re: [security-dev] managing OTP
On 08/12/2013 08:20 AM, Bill Burke wrote:
>
> On 8/12/2013 6:19 AM, Pedro Igor Silva wrote:
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: security-dev(a)lists.jboss.org
>>> Sent: Sunday, August 11, 2013 8:58:27 AM
>>> Subject: [security-dev] managing OTP
>>>
>>> There's a few issues with managing credentials. The first is, there is
>>> no way to remove a credential. This is essential to TOTP as you may end
>>> up with a lost or obsolete device.
>>>
>>> https://issues.jboss.org/browse/PLINK-236
>>>
>> I missed that too and have discussed that with Shane a long time ago. The
>> idea is to have a history of all account's credentials.
>>
> The reason for this is?
>
>> If a devices becomes obsolete, you just set expiration date.
>>
> Its not just TOTP, same with password. Every time a user has a lost
> password two new obsolete ones are added to the database: temporary
> one, then a password change. Maybe not such a big deal with a few
> users, but when you get to tens, hundreds of thousands of users, won't
> this kind of be a problem?
There will be thousands of users for PicketLink IDM. As Bolek can
attest, PL 1.x IDM had that usage.
Pedro, lets review this password/credential issue.
Let's do this.
>>> THe 2nd is that for TOTP, you will want to check every
device on a
>>> credential validation rather than just one:
>>>
>>> https://issues.jboss.org/browse/PLINK-237
>>>
>>> Our own VPN allows me to set up multiple tokens. I have one on my
>>> iphone and ipad just in case I lose one or the other. OUr VPN allows me
>>> to use either to login in.
>>>
>> Is not a valid option you iterate over user's devices and try each one ?
>>
> Sure, this is why this is an enhancement.
>
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev