[keycloak-dev] Adaptive risk login
Marc Boorshtein
marc.boorshtein at tremolosecurity.com
Sun Aug 28 08:32:41 EDT 2016
On Aug 28, 2016 7:56 AM, "Thomas Darimont" <thomas.darimont at googlemail.com>
wrote:
>
> Hello group,
>
> I just add a look at a nice feature from Forge Rock AM called:
> "Adaptive risk login".
Adaptive risk was really popular around 2010 as a multi-factor without a
token. Mainly banks didnt want to hand out rsa secureid tokens. They used a
bunch of factors like your flash version, source IP, etc. It turned out to
be more trouble then it's worth. Between the ease of creating soft tokens
like totp and the popularity of VPNs the adaptive risk approach proved to
be mostly pointless. The amount of statistical data needed to make these
decisions useful, and the amount of skill needed to configure was
outweighed by simpler multi factor implementations.
Oracles adaptive access manager, the most notable enterprise adaptive
access manager, was merged into Oracle access manager mainly for the couple
of alternative login methods but the adaptive part has disappeared. My
guess is this was a "me too"/checkbox feature. I've done several forgerock
implementations and this comes up as a theoretical discussion but never
goes beyond that.
I've seen a few machine learning based approaches to authentication but
they go well beyond tracking a risk score, more behavior tracking stuff.
The couple I've seen end up integrating via saml or oidc anyways so there
wouldn't be much to do on the kc side.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160828/a3b28331/attachment.html
More information about the keycloak-dev
mailing list