[keycloak-dev] Support multiple 2nd factor types

[Stian Thorgersen]

At least for now we should add support for multiple types of OTP:

* Software tokens
* Hardware tokens
* U2F

It should be possible for an administrator to select what mechanisms are
available for a realm. We need the option to enforce that a user has at
least one 2nd factor authentication associated with the account. Then it
should be possible for adminstrators to provision tokens on behalf of
users, but also for users themselves to provision their own. For hardware
tokens a lot of them use the same algorithm as the software token, but on
caveat is that you need to be able to exchange a device-id for the token
secret. This could be a rest endpoint or a lookup in a database, but I
don't think there's a generic approach available so maybe we need to
introduce an SPI for this.

Are we able to do the above with the current Authenticator SPI? We also
need:

* Account management - users should be able to choose which mechanism to
use if there's more than one enabled for a realm
* Required action to enable OTP - same as above
* Admin console - administrators should be able to provision on behalf of
users
* We need to refer to it as 2nd factor or multi-factor as OTP is just one
possible mechanism. Other simple examples could be sending a code to email
or sms which has to be copy/pasted back to the login forms.

Looks like we have a community member that is willing to contribute U2F and
another that could contribute hardware tokens.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151007/fbd5528f/attachment.html