Re: [security-dev] Multi Stage Authentication

Hi All, I have been thinking about the multi stage authentication process that Bill has been mentioning. Basically, the discussions have been confusing between multi mechanism authentication vs multi stage authentication. In multi mechanism authentication, the framework needs to support multiple authentication mechanisms such as Credential, X509, OTP, Custom etc, given different entry points into the application -> browser, mobile, rest etc. In multi stage authentication, the framework needs to provide hooks to define the stages in a complex authentication process for high risk applications such as banking, credit etc. Some of the stages are highlighted here: credential ------> Knowledge based authentication (Questions and Answers) --------------->Index Page credential -------> KBA ------------> Mobile SMS Code -------------> Money Transfer Page credential ------> OTP -----------> Index Page credential ----------> Index Page ---------> OTP ----------> Money Transfer Page Generically: stage1 -------> stage2 -------------> Resource So if there is an application developer who wishes to incorporate stages into the authentication process, he can use the IDM underneath to hold the state of the stages as well as will need hooks into defining the authentication type for each stage. Thoughts? Regards, Anil _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev