[keycloak-dev] credential management

Bill Burke bburke at redhat.com
Tue Aug 13 09:10:25 EDT 2013



On 8/13/2013 8:42 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, 13 August, 2013 1:12:52 PM
>> Subject: Re: [keycloak-dev] credential management
>>
>>
>>
>> On 8/13/2013 7:36 AM, Stian Thorgersen wrote:
>>> I like the idea of never allowing admins to see passwords. Temporary
>>> passwords are not very nice. It would require to have always have a
>>> verified means to communicate with the user though (email, SMS, others?).
>>>
>>
>> How can you implement forgot credentials then without a verified means
>> to communicate with the user?  (email, sms, *AND* voice).
>
> I think it's an acceptable requirement that users provide some verified means of communicating with them. In the event that a user has lost access to whatever that was (for example they've changed ISPs and lost their ISP provided email). In that event the user would have to call or contact supports to have them change the associated contact mechanism (which would require them to answer some horrible security questions).
>
>>
>> I wonder how admins feel about the "Security Questions" (i.e. mother's
>> maiden name) Then there would be no need to send an email.
>
> I think recovering an account without access to whatever verified contact details they provided when creating the account should only be possible by manually contacting support. For example there's not many colours in the world so brute-forcing that would be incredibly simple
>

So I guess Lost token generator or client certificate should require 
manually contacting support.  In this case, what should the admin UI 
look like for this?  We want to avoid the admin seeing any credential, 
even a temporary one.  So the system will have some protection against 
an evil admin.

So, the admin would put the user account in a state of "credential 
reset".  A temporary password would be generated behind the scenes and 
an email or SMS sent to the user with the temporary password.  The user 
would use this temporary password to login and the next screen would 
require them to reset/re-install/re-configure their new credentials. 
That sound good?


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list