[keycloak-dev] Adaptive risk login

Stian Thorgersen sthorger at redhat.com
Mon Aug 29 09:48:10 EDT 2016

Doesn't seem adapter authentication is dead:

VPNs are certainly not the solution in all cases as more and more
applications are exposed directly on the Internet everyday. Two factor is
certainly improving security ten folds, but there's also issues with those.
A token can be lost or compromised. There's needs for password recovery.

End of the day the more layers of security you have the less likely you'll
get compromised. VPNs + two factor + adaptive authentication might just
combined be enough to give you the level you need.

We do have adaptive authentication on the radar for Keycloak. There's a
fairly good chance it's something we'll look into for 3.x (2017). As such
I'd love to hear more what others think about it.

On 28 August 2016 at 14:32, Marc Boorshtein <
marc.boorshtein at tremolosecurity.com> wrote:

> On Aug 28, 2016 7:56 AM, "Thomas Darimont" <thomas.darimont at googlemail.com>
> wrote:
> >
> > Hello group,
> >
> > I just add a look at a nice feature from Forge Rock AM called:
> > "Adaptive risk login".
> Adaptive risk was really popular around 2010 as a multi-factor without a
> token. Mainly banks didnt want to hand out rsa secureid tokens. They used a
> bunch of factors like your flash version, source IP, etc. It turned out to
> be more trouble then it's worth. Between the ease of creating soft tokens
> like totp and the popularity of VPNs the adaptive risk approach proved to
> be mostly pointless. The amount of statistical data needed to make these
> decisions useful, and the amount of skill needed to configure was
> outweighed by simpler multi factor implementations.
> Oracles adaptive access manager, the most notable enterprise adaptive
> access manager, was merged into Oracle access manager mainly for the couple
> of alternative login methods but the adaptive part has disappeared. My
> guess is this was a "me too"/checkbox feature. I've done several forgerock
> implementations and this comes up as a theoretical discussion but never
> goes beyond that.
> I've seen a few machine learning based approaches to authentication but
> they go well beyond tracking a risk score, more behavior tracking stuff.
> The couple I've seen end up integrating via saml or oidc anyways so there
> wouldn't be much to do on the kc side.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160829/c28f6f90/attachment.html 

More information about the keycloak-dev mailing list