[keycloak-dev] Device registration and verification

Pedro Igor Silva psilva at redhat.com
Mon Jan 12 10:06:23 EST 2015


----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> Sent: Monday, January 12, 2015 5:01:35 AM
> Subject: Re: [keycloak-dev] Device registration and verification
> 
> 
> 
> ----- Original Message -----
> > From: "Pedro Igor Silva" <psilva at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > Sent: Friday, 9 January, 2015 4:09:51 PM
> > Subject: Re: [keycloak-dev] Device registration and verification
> > 
> > ----- Original Message -----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > To: "Pedro Igor Silva" <psilva at redhat.com>
> > > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > Sent: Friday, January 9, 2015 11:29:01 AM
> > > Subject: Re: [keycloak-dev] Device registration and verification
> > > 
> > > 
> > > 
> > > ----- Original Message -----
> > > > From: "Pedro Igor Silva" <psilva at redhat.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > > Sent: Friday, 9 January, 2015 12:44:20 PM
> > > > Subject: Re: [keycloak-dev] Device registration and verification
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > > To: "Pedro Igor Silva" <psilva at redhat.com>
> > > > > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > > > Sent: Friday, January 9, 2015 5:02:16 AM
> > > > > Subject: Re: [keycloak-dev] Device registration and verification
> > > > > 
> > > > > Requiring email seems unnecessary and awkward to me. The normal flow
> > > > > I've
> > > > > seen (at least on Android) is that you simply login with your
> > > > > username
> > > > > and
> > > > > password on the device. You can then go into your account later and
> > > > > list
> > > > > devices that are registered.
> > > > 
> > > > I was thinking more about browser-based scenarios. Mobile behaves
> > > > differently
> > > > but similary. In any case, the idea is secure user account based on the
> > > > devices he usually use to access something. If that changes, it might
> > > > be
> > > > a
> > > > threat.
> > > 
> > > Sure, but what you're actually talking about here is using email as a 2nd
> > > factor authentication right?
> > 
> > No. Email is not a 2nd factor authentication, but the code itself. Email is
> > just how you send the code and also how you alert the user that someone is
> > trying to access his account from a not recognized device. In this case,
> > the
> > code is just an "activation code" (not an authentication code), we can even
> > remove the code and just provide a confirmation link, for instance.
> > 
> > This is not about authenticating users, but authorization. Allowing access
> > only from devices previously approved by the user. Let's say you usually
> > access your bank from your home computer. But for some reason, you need
> > temporary access from a LAN house computer. You probably don't want to
> > allow
> > access from LAN house computers later on.
> > 
> > > 
> > > My plan was that we'd have more ways to do 2nd factor auth (sms, email,
> > > google authenticator, yubikey, custom) and have an option on a realm to
> > > enable "trusted" devices. If the realm has trusted devices enabled then
> > > the
> > > user only has to use the 2nd factor authentication say every 30 days or
> > > so.
> > 
> > What I'm proposing is another security layer, which can be used together
> > with
> > 2nd factor authentication.
> 
> I see no difference, except for implementation details

There is a difference. Usually you see this feature in bank sites. Or even in SalesForce if you try it out. It helps providers to increase security by allowing access only from devices authorized by the user. You can even not use 2nd factor authentication at all.

> 
> > 
> > > 
> > > > 
> > > > > 
> > > > > IMO we need to have a bigger discussion on how mobile and devices
> > > > > which
> > > > > includes the AeroGear guys.
> > > > > 
> > > > > ----- Original Message -----
> > > > > > From: "Pedro Igor Silva" <psilva at redhat.com>
> > > > > > To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > > > > Sent: Friday, 9 January, 2015 12:09:47 AM
> > > > > > Subject: [keycloak-dev] Device registration and verification
> > > > > > 
> > > > > > Hi,
> > > > > > 
> > > > > >    I was wondering if we can support device registration and
> > > > > >    verification
> > > > > >    during login as follows:
> > > > > > 
> > > > > >        1) Users can enable/disable behavior in admin console for a
> > > > > >        specific
> > > > > >        realm.
> > > > > >        2) After a successful login, KC checks if the user's device
> > > > > >        is
> > > > > >        known.
> > > > > >        For instance, Browser and Operating System.
> > > > > >        3) If not recognized, KC shows a page asking user if he
> > > > > >        wants
> > > > > >        to
> > > > > >        enable the device.
> > > > > >        4) KC sends an email to user with a code.
> > > > > >        5) When trying to login again, user must provide the code to
> > > > > >        register
> > > > > >        the new device and get authenticated.
> > > > > >        6) For now on, users can authenticate without asking for
> > > > > >        permission
> > > > > >        if
> > > > > >        using the same device.
> > > > > > 
> > > > > >    Any thoughts ?
> > > > > > 
> > > > > > Regards.
> > > > > > Pedro Igor
> > > > > >     
> > > > > > _______________________________________________
> > > > > > keycloak-dev mailing list
> > > > > > keycloak-dev at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 


More information about the keycloak-dev mailing list