[keycloak-dev] Device registration and verification
Stian Thorgersen
stian at redhat.com
Tue Jan 13 09:37:55 EST 2015
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>, "Pedro Igor Silva" <psilva at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 13 January, 2015 3:35:18 PM
> Subject: Re: [keycloak-dev] Device registration and verification
>
>
>
> On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
> >> In a sense that is much more than just seamless authenticate (and
> >> authorize
> >> that computer) the user.
> >
> > I'm curious to see what you're proposing in a real system, but to me it
> > sounds like it's similar enough that a remember me and multi factor auth
> > mechanism would have the same level of security without complicating
> > things for the user.
> >
>
> I don't think we need any special device registration and verification
> for users. Any type of client registration should be done by app devs,
> not users.
>
> For browsers, "remember me" and a persistent cookie is good enough. For
> mobile and native apps, a refresh token can be stored. We should
> probably have per-client overrides for things like access and refresh
> token timeouts. We'll eventually add Client IP features so that a user
> doesn't have to use 2-factor auth if they are logging in from the same
> device from the same IP.
IMO not requiring 2-factor auth from same device should use a cookie not IP
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list