Re: [security-dev] managing OTP

----- Original Message ----- > From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com&gt; > To: security-dev(a)lists.jboss.org > Sent: Monday, August 12, 2013 10:23:07 AM > Subject: Re: [security-dev] managing OTP > > On 08/12/2013 08:20 AM, Bill Burke wrote: >> On 8/12/2013 6:19 AM, Pedro Igor Silva wrote: >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>> To: security-dev(a)lists.jboss.org >>>> Sent: Sunday, August 11, 2013 8:58:27 AM >>>> Subject: [security-dev] managing OTP >>>> >>>> There's a few issues with managing credentials. The first is, there is >>>> no way to remove a credential. This is essential to TOTP as you may end >>>> up with a lost or obsolete device. >>>> >>>> https://issues.jboss.org/browse/PLINK-236 >>>> >>> I missed that too and have discussed that with Shane a long time ago. The >>> idea is to have a history of all account's credentials. >>> >> The reason for this is? >> >>> If a devices becomes obsolete, you just set expiration date. >>> >> Its not just TOTP, same with password. Every time a user has a lost >> password two new obsolete ones are added to the database: temporary >> one, then a password change. Maybe not such a big deal with a few >> users, but when you get to tens, hundreds of thousands of users, won't >> this kind of be a problem? > There will be thousands of users for PicketLink IDM. As Bolek can > attest, PL 1.x IDM had that usage. > Pedro, lets review this password/credential issue. > Let's do this.

>>>> THe 2nd is that for TOTP, you will want to check every device on a >>>> credential validation rather than just one: >>>> >>>> https://issues.jboss.org/browse/PLINK-237 >>>> >>>> Our own VPN allows me to set up multiple tokens. I have one on my >>>> iphone and ipad just in case I lose one or the other. OUr VPN allows me >>>> to use either to login in. >>>> >>> Is not a valid option you iterate over user's devices and try each one ? >>> >> Sure, this is why this is an enhancement. >> >>