[keycloak-dev] Device registration and verification
Stan Silvert
ssilvert at redhat.com
Tue Jan 13 10:22:08 EST 2015
On 1/13/2015 9:35 AM, Bill Burke wrote:
>
> On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
>>> In a sense that is much more than just seamless authenticate (and authorize
>>> that computer) the user.
>> I'm curious to see what you're proposing in a real system, but to me it sounds like it's similar enough that a remember me and multi factor auth mechanism would have the same level of security without complicating things for the user.
>>
> I don't think we need any special device registration and verification
> for users. Any type of client registration should be done by app devs,
> not users.
>
> For browsers, "remember me" and a persistent cookie is good enough. For
> mobile and native apps, a refresh token can be stored. We should
> probably have per-client overrides for things like access and refresh
> token timeouts. We'll eventually add Client IP features so that a user
> doesn't have to use 2-factor auth if they are logging in from the same
> device from the same IP.
I can tell you what my bank does. I have the usual login/remember me
function. But if I want to access something that is more sensitive than
my basic account balance and such, I need to authorize my device. This
is done by getting the bank to send me a code via email or text. I then
enter the code in the site and I'm issued a cookie so that the device
doesn't have to go through this process again.
So this is quite different from "remember me", which only applies to
authentication. If someone finds out my credentials they still can't
get high level authorization to my account without physical access to my
device.
IMO, it would be a nice feature to implement in keycloak so that app
devs don't have to.
More information about the keycloak-dev
mailing list