Re: [security-dev] managing OTP

On 8/12/2013 6:19 AM, Pedro Igor Silva wrote: > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: security-dev(a)lists.jboss.org >> Sent: Sunday, August 11, 2013 8:58:27 AM >> Subject: [security-dev] managing OTP >> >> There's a few issues with managing credentials. The first is, there is >> no way to remove a credential. This is essential to TOTP as you may end >> up with a lost or obsolete device. >> >> https://issues.jboss.org/browse/PLINK-236 >> > I missed that too and have discussed that with Shane a long time ago. The idea is to have a history of all account's credentials. > The reason for this is? > If a devices becomes obsolete, you just set expiration date. > Its not just TOTP, same with password. Every time a user has a lost password two new obsolete ones are added to the database: temporary one, then a password change. Maybe not such a big deal with a few users, but when you get to tens, hundreds of thousands of users, won't this kind of be a problem?

>> THe 2nd is that for TOTP, you will want to check every device on a >> credential validation rather than just one: >> >> https://issues.jboss.org/browse/PLINK-237 >> >> Our own VPN allows me to set up multiple tokens. I have one on my >> iphone and ipad just in case I lose one or the other. OUr VPN allows me >> to use either to login in. >> > Is not a valid option you iterate over user's devices and try each one ? > Sure, this is why this is an enhancement.