[keycloak-dev] Features whishlist
Adrian Mitev
adrian.mitev at gmail.com
Thu Mar 20 09:47:22 EDT 2014
On Thu, Mar 20, 2014 at 3:22 PM, Bill Burke <bburke at redhat.com> wrote:
>
>
> On 3/20/2014 6:47 AM, Adrian Mitev wrote:
> > Hi guys! I'm very interested in Keycloak and would like to share with
> > you some ideas that come from user requirements I currently have or had
> > in the past that you may find useful to add in Keycloak.
> > * Automatically revoke access to user account after a (configurable)
> > number of invalid sign-on passwords until the system administrator has
> > unlocked the account or automatically after an administrator-defined
> > interval - I know that with such feature an attacker could lock user
> > accounts by simply knowing usernames/emails. However I have a case of an
> > Intranet application that is accessible only inside the company and
> > could trace such attackers by their ip addresses.
>
> Working on Brute force detection now. First iteration will increasingly
> add a "not before" time on successive login failures. Second iteration
> will include IP address options.
>
> > * Record and report (i.e. email sending) on failed login attempts
> outlining
> > * Force password changes at regular (configurable) intervals or
> > * Automatically reset the password and send a new one to the user via
> email
> > * Can ensure that the new password has not been used before in a number
> > (configurable) of password changes
> > * Login using digital signature in a smart card or p12 file
>
> This something different than OTP?
>
A customer company has a policy that a password for user account should be
changed every week. This counts for special type of users that access more
sensitive information.
>
> > * Security questions for password recovery
> >
> > Other that I found as issues in other Identity Providers
> > * Support many accounts (~10K) within a reasonable amount of time
> > * When providing an authentication client (maven dependency) add only
> > the needed set of dependencies. I know this sounds silly but I have
> > experience with a client library provided by the Identity Provider that
> > had a compile dependency to apache ant...
> >
>
> So far our adapters are installed once onto the app server.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140320/205711f0/attachment.html
More information about the keycloak-dev
mailing list