Re: [security-dev] managing OTP
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: security-dev(a)lists.jboss.org
Sent: Sunday, August 11, 2013 8:58:27 AM
Subject: [security-dev] managing OTP
There's a few issues with managing credentials. The first is, there is
no way to remove a credential. This is essential to TOTP as you may end
up with a lost or obsolete device.
https://issues.jboss.org/browse/PLINK-236
I missed that too and have discussed that with Shane a long time ago. The idea is to have
a history of all account's credentials.
If a devices becomes obsolete, you just set expiration date.
THe 2nd is that for TOTP, you will want to check every device on a
credential validation rather than just one:
https://issues.jboss.org/browse/PLINK-237
Our own VPN allows me to set up multiple tokens. I have one on my
iphone and ipad just in case I lose one or the other. OUr VPN allows me
to use either to login in.
Is not a valid option you iterate over user's devices and try each one ?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev