[keycloak-dev] Device registration and verification

Pedro Igor Silva psilva at redhat.com
Mon Jan 12 11:04:15 EST 2015


----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, January 12, 2015 1:56:49 PM
> Subject: Re: [keycloak-dev] Device registration and verification
> 
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: keycloak-dev at lists.jboss.org
> > Sent: Monday, January 12, 2015 1:39:35 PM
> > Subject: Re: [keycloak-dev] Device registration and verification
> > 
> > 
> > 
> > On 1/12/2015 10:06 AM, Pedro Igor Silva wrote:
> > > ----- Original Message -----
> > >> From: "Stian Thorgersen" <stian at redhat.com>
> > >> To: "Pedro Igor Silva" <psilva at redhat.com>
> > >> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > >> Sent: Monday, January 12, 2015 5:01:35 AM
> > >> Subject: Re: [keycloak-dev] Device registration and verification
> > >>
> > >>
> > >>
> > >> ----- Original Message -----
> > >>> From: "Pedro Igor Silva" <psilva at redhat.com>
> > >>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > >>> Sent: Friday, 9 January, 2015 4:09:51 PM
> > >>> Subject: Re: [keycloak-dev] Device registration and verification
> > >>>
> > >>> ----- Original Message -----
> > >>>> From: "Stian Thorgersen" <stian at redhat.com>
> > >>>> To: "Pedro Igor Silva" <psilva at redhat.com>
> > >>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > >>>> Sent: Friday, January 9, 2015 11:29:01 AM
> > >>>> Subject: Re: [keycloak-dev] Device registration and verification
> > >>>>
> > >>>>
> > >>>>
> > >>>> ----- Original Message -----
> > >>>>> From: "Pedro Igor Silva" <psilva at redhat.com>
> > >>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > >>>>> Sent: Friday, 9 January, 2015 12:44:20 PM
> > >>>>> Subject: Re: [keycloak-dev] Device registration and verification
> > >>>>>
> > >>>>> ----- Original Message -----
> > >>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>> To: "Pedro Igor Silva" <psilva at redhat.com>
> > >>>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > >>>>>> Sent: Friday, January 9, 2015 5:02:16 AM
> > >>>>>> Subject: Re: [keycloak-dev] Device registration and verification
> > >>>>>>
> > >>>>>> Requiring email seems unnecessary and awkward to me. The normal flow
> > >>>>>> I've
> > >>>>>> seen (at least on Android) is that you simply login with your
> > >>>>>> username
> > >>>>>> and
> > >>>>>> password on the device. You can then go into your account later and
> > >>>>>> list
> > >>>>>> devices that are registered.
> > >>>>>
> > >>>>> I was thinking more about browser-based scenarios. Mobile behaves
> > >>>>> differently
> > >>>>> but similary. In any case, the idea is secure user account based on
> > >>>>> the
> > >>>>> devices he usually use to access something. If that changes, it might
> > >>>>> be
> > >>>>> a
> > >>>>> threat.
> > >>>>
> > >>>> Sure, but what you're actually talking about here is using email as a
> > >>>> 2nd
> > >>>> factor authentication right?
> > >>>
> > >>> No. Email is not a 2nd factor authentication, but the code itself.
> > >>> Email
> > >>> is
> > >>> just how you send the code and also how you alert the user that someone
> > >>> is
> > >>> trying to access his account from a not recognized device. In this
> > >>> case,
> > >>> the
> > >>> code is just an "activation code" (not an authentication code), we can
> > >>> even
> > >>> remove the code and just provide a confirmation link, for instance.
> > >>>
> > >>> This is not about authenticating users, but authorization. Allowing
> > >>> access
> > >>> only from devices previously approved by the user. Let's say you
> > >>> usually
> > >>> access your bank from your home computer. But for some reason, you need
> > >>> temporary access from a LAN house computer. You probably don't want to
> > >>> allow
> > >>> access from LAN house computers later on.
> > >>>
> > >>>>
> > >>>> My plan was that we'd have more ways to do 2nd factor auth (sms,
> > >>>> email,
> > >>>> google authenticator, yubikey, custom) and have an option on a realm
> > >>>> to
> > >>>> enable "trusted" devices. If the realm has trusted devices enabled
> > >>>> then
> > >>>> the
> > >>>> user only has to use the 2nd factor authentication say every 30 days
> > >>>> or
> > >>>> so.
> > >>>
> > >>> What I'm proposing is another security layer, which can be used
> > >>> together
> > >>> with
> > >>> 2nd factor authentication.
> > >>
> > >> I see no difference, except for implementation details
> > >
> > > There is a difference. Usually you see this feature in bank sites. Or
> > > even
> > > in SalesForce if you try it out. It helps providers to increase security
> > > by allowing access only from devices authorized by the user. You can even
> > > not use 2nd factor authentication at all.
> > >
> > 
> > How is this different than a "remember me" button?
> 
> "Remember me" will allow you to get authenticated. But if you provided only
> temporary access from that device, you will not be able to proceed even with
> "remember me" checked. However, if that device was approved for you and
> marked as "trusted" you will be fine.
> 
> This is not about authentication, but authorization ....

Which can be also combined with IP-based restrictions.

> 
> > 
> > Bill
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list