[keycloak-dev] Device registration and verification

Bill Burke bburke at redhat.com
Tue Jan 13 10:26:42 EST 2015



On 1/13/2015 10:10 AM, Pedro Igor Silva wrote:
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>, "Pedro Igor Silva" <psilva at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, January 13, 2015 12:35:18 PM
>> Subject: Re: [keycloak-dev] Device registration and verification
>>
>>
>>
>> On 1/12/2015 1:10 PM, Stian Thorgersen wrote:
>>>> In a sense that is much more than just seamless authenticate (and
>>>> authorize
>>>> that computer) the user.
>>>
>>> I'm curious to see what you're proposing in a real system, but to me it
>>> sounds like it's similar enough that a remember me and multi factor auth
>>> mechanism would have the same level of security without complicating
>>> things for the user.
>>>
>>
>> I don't think we need any special device registration and verification
>> for users.  Any type of client registration should be done by app devs,
>> not users.
>>
>> For browsers, "remember me" and a persistent cookie is good enough.  For
>> mobile and native apps, a refresh token can be stored.  We should
>> probably have per-client overrides for things like access and refresh
>> token timeouts.  We'll eventually add Client IP features so that a user
>> doesn't have to use 2-factor auth if they are logging in from the same
>> device from the same IP.
>
> My proposal is all based on browsers, people using their desktops. So you can have an alias for a computer and use a cookie + IP (or even track information from the user-agent) to support the features I suggested before. If IP changed or user is using a unrecognized user-agent you notify the user. Sometimes this sucks, because your IP may change often depending on your network, but I think it is a nice feature to have.
>

As long as there is no extra steps for the user, it is a fine idea. Same 
goes for any special SPI.  No new special SPIs for this type of thing.

For a long time I've wanted the ability to warn the user if there was a 
login from rogue hacker nation.  Countries and even states, counties and 
cities are assigned specific IP address masks.  I'm pretty sure ISPs are 
assigned specific ones too.  There's a free country IP database you can 
download with the option to pay for more fine-grain information.

BTW, I already had this on my task list for a long time and really 
wanted to do this work.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list