[keycloak-dev] Why do I have to enter the OTP?

Stian Thorgersen stian at redhat.com
Thu Jan 15 02:43:50 EST 2015


I think we'd need some mechanism in place so the user knows he initiated the request. Keycloak could for example display a random phrase, for example "RED SHOE" which would also be displayed on the mobile. Banks in Norway use a similar mechanism.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 14 January, 2015 7:12:37 PM
> Subject: Re: [keycloak-dev] Why do I have to enter the OTP?
> 
> 
> 
> On 1/14/2015 2:36 AM, Juraci Paixão Kröhling wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 01/13/2015 05:11 PM, Bill Burke wrote:
> >> Why does a user have to enter in the OTP generated by their mobile
> >>   device?  Wouldn't it be cooler if the steps were:
> >>
> >> 1. Enter in username password in the browser 2. Browser blocks and
> >> wait for... 3. Press a button on your OTP iphone app 4. iphone app
> >> sends an HTTP message to Keycloak with username and generated OTP
> >> (in background) 5. Keycloak sees if a browser app is waiting for
> >> OTP verification, then verifies OTP if so.
> >
> > How do you ensure that this browser is the same as the real user, and
> > not from an attacker?
> >
> 
> The browser has correctly entered in a password.  There would be a
> timeout for the browser blocking/waiting for the background OTP transmit.
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 



More information about the keycloak-dev mailing list