[keycloak-dev] Device registration and verification

Stian Thorgersen stian at redhat.com
Mon Jan 12 13:10:40 EST 2015 


----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 12 January, 2015 7:00:10 PM
> Subject: Re: [keycloak-dev] Device registration and verification
> 
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Pedro Igor Silva" <psilva at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Monday, January 12, 2015 3:32:49 PM
> > Subject: Re: [keycloak-dev] Device registration and verification
> > 
> > 
> > 
> > On 1/12/2015 10:56 AM, Pedro Igor Silva wrote:
> > > ----- Original Message -----
> > >> From: "Bill Burke" <bburke at redhat.com>
> > >> To: keycloak-dev at lists.jboss.org
> > >> Sent: Monday, January 12, 2015 1:39:35 PM
> > >> Subject: Re: [keycloak-dev] Device registration and verification
> > >>
> > >>
> > >>
> > >> On 1/12/2015 10:06 AM, Pedro Igor Silva wrote:
> > >>> ----- Original Message -----
> > >>>> From: "Stian Thorgersen" <stian at redhat.com>
> > >>>> To: "Pedro Igor Silva" <psilva at redhat.com>
> > >>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > >>>> Sent: Monday, January 12, 2015 5:01:35 AM
> > >>>> Subject: Re: [keycloak-dev] Device registration and verification
> > >>>>
> > >>>>
> > >>>>
> > >>>> ----- Original Message -----
> > >>>>> From: "Pedro Igor Silva" <psilva at redhat.com>
> > >>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > >>>>> Sent: Friday, 9 January, 2015 4:09:51 PM
> > >>>>> Subject: Re: [keycloak-dev] Device registration and verification
> > >>>>>
> > >>>>> ----- Original Message -----
> > >>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>> To: "Pedro Igor Silva" <psilva at redhat.com>
> > >>>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > >>>>>> Sent: Friday, January 9, 2015 11:29:01 AM
> > >>>>>> Subject: Re: [keycloak-dev] Device registration and verification
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>> ----- Original Message -----
> > >>>>>>> From: "Pedro Igor Silva" <psilva at redhat.com>
> > >>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > >>>>>>> Sent: Friday, 9 January, 2015 12:44:20 PM
> > >>>>>>> Subject: Re: [keycloak-dev] Device registration and verification
> > >>>>>>>
> > >>>>>>> ----- Original Message -----
> > >>>>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>>>> To: "Pedro Igor Silva" <psilva at redhat.com>
> > >>>>>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > >>>>>>>> Sent: Friday, January 9, 2015 5:02:16 AM
> > >>>>>>>> Subject: Re: [keycloak-dev] Device registration and verification
> > >>>>>>>>
> > >>>>>>>> Requiring email seems unnecessary and awkward to me. The normal
> > >>>>>>>> flow
> > >>>>>>>> I've
> > >>>>>>>> seen (at least on Android) is that you simply login with your
> > >>>>>>>> username
> > >>>>>>>> and
> > >>>>>>>> password on the device. You can then go into your account later
> > >>>>>>>> and
> > >>>>>>>> list
> > >>>>>>>> devices that are registered.
> > >>>>>>>
> > >>>>>>> I was thinking more about browser-based scenarios. Mobile behaves
> > >>>>>>> differently
> > >>>>>>> but similary. In any case, the idea is secure user account based on
> > >>>>>>> the
> > >>>>>>> devices he usually use to access something. If that changes, it
> > >>>>>>> might
> > >>>>>>> be
> > >>>>>>> a
> > >>>>>>> threat.
> > >>>>>>
> > >>>>>> Sure, but what you're actually talking about here is using email as
> > >>>>>> a
> > >>>>>> 2nd
> > >>>>>> factor authentication right?
> > >>>>>
> > >>>>> No. Email is not a 2nd factor authentication, but the code itself.
> > >>>>> Email
> > >>>>> is
> > >>>>> just how you send the code and also how you alert the user that
> > >>>>> someone
> > >>>>> is
> > >>>>> trying to access his account from a not recognized device. In this
> > >>>>> case,
> > >>>>> the
> > >>>>> code is just an "activation code" (not an authentication code), we
> > >>>>> can
> > >>>>> even
> > >>>>> remove the code and just provide a confirmation link, for instance.
> > >>>>>
> > >>>>> This is not about authenticating users, but authorization. Allowing
> > >>>>> access
> > >>>>> only from devices previously approved by the user. Let's say you
> > >>>>> usually
> > >>>>> access your bank from your home computer. But for some reason, you
> > >>>>> need
> > >>>>> temporary access from a LAN house computer. You probably don't want
> > >>>>> to
> > >>>>> allow
> > >>>>> access from LAN house computers later on.
> > >>>>>
> > >>>>>>
> > >>>>>> My plan was that we'd have more ways to do 2nd factor auth (sms,
> > >>>>>> email,
> > >>>>>> google authenticator, yubikey, custom) and have an option on a realm
> > >>>>>> to
> > >>>>>> enable "trusted" devices. If the realm has trusted devices enabled
> > >>>>>> then
> > >>>>>> the
> > >>>>>> user only has to use the 2nd factor authentication say every 30 days
> > >>>>>> or
> > >>>>>> so.
> > >>>>>
> > >>>>> What I'm proposing is another security layer, which can be used
> > >>>>> together
> > >>>>> with
> > >>>>> 2nd factor authentication.
> > >>>>
> > >>>> I see no difference, except for implementation details
> > >>>
> > >>> There is a difference. Usually you see this feature in bank sites. Or
> > >>> even
> > >>> in SalesForce if you try it out. It helps providers to increase
> > >>> security
> > >>> by allowing access only from devices authorized by the user. You can
> > >>> even
> > >>> not use 2nd factor authentication at all.
> > >>>
> > >>
> > >> How is this different than a "remember me" button?
> > >
> > > "Remember me" will allow you to get authenticated. But if you provided
> > > only
> > > temporary access from that device, you will not be able to proceed even
> > > with "remember me" checked. However, if that device was approved for you
> > > and marked as "trusted" you will be fine.
> > >
> > > This is not about authentication, but authorization ....
> > >
> > 
> > Remember me is the same thing as authorizing your browser/machine.
> 
> Yes. But you don't track the devices (or pcs), when was your last login from
> a device, define how long you want to "remember" that device or if you just
> want a single access from that computer,
> receive notifications from access from unauthorized devices and so forth.
> 
> In a sense that is much more than just seamless authenticate (and authorize
> that computer) the user.

I'm curious to see what you're proposing in a real system, but to me it sounds like it's similar enough that a remember me and multi factor auth mechanism would have the same level of security without complicating things for the user.

> 
> > 
> > 
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list