[keycloak-dev] Device registration and verification
Bill Burke
bburke at redhat.com
Tue Jan 13 09:35:18 EST 2015
On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
>> In a sense that is much more than just seamless authenticate (and authorize
>> that computer) the user.
>
> I'm curious to see what you're proposing in a real system, but to me it sounds like it's similar enough that a remember me and multi factor auth mechanism would have the same level of security without complicating things for the user.
>
I don't think we need any special device registration and verification
for users. Any type of client registration should be done by app devs,
not users.
For browsers, "remember me" and a persistent cookie is good enough. For
mobile and native apps, a refresh token can be stored. We should
probably have per-client overrides for things like access and refresh
token timeouts. We'll eventually add Client IP features so that a user
doesn't have to use 2-factor auth if they are logging in from the same
device from the same IP.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list