[keycloak-dev] Adaptive risk login

Stian Thorgersen sthorger at redhat.com
Tue Aug 30 05:31:41 EDT 2016


On 29 August 2016 at 19:06, Marc Boorshtein <
marc.boorshtein at tremolosecurity.com> wrote:

> >> >
> >> > VPNs are certainly not the solution in all cases as more and more
> >> > applications are exposed directly on the Internet everyday.
> >>
> >> Very true (as are all your other statements) but my point about VPNs
> >> wasn't that more people are using VPNs as a way to protect
> >> applications (probably the opposite).  Its that VPNs can be easily
> >> used to bypass many of the features of adaptive authentication.  Most
> >> adaptive deployments I've seen rely on geo location mappings of IP
> >> ranges to determine where users are logging in from.  Use an OpenVPN
> >> into a Amazon/Google/Azure/Pick-Your-Favorite-Proider network and out
> >> to the internet and that feature becomes useless.
> >
> >
> > Yep, that's an issue. There's also bot farms as well. Not many people
> will
> > issue an attack from their home address.
> >
> > Still has some level of protection. For example VPNs are costly, tend to
> be
> > rate limited.
>
> If you're talking about a DDoS or script kiddies just running massive
> sets of scripts against a target, sure but I don't think KC (or any
> authentication system) will be what stops that.  That'll be a
> combination of network infrastructure and web application firewalls
> screening out specific exploits.  Where the value of adaptive auth
> would I think be more likely is a targeted attack with a known set of
> credentials where a set of actors is trying to leverage something they
> have to get elevated privileges.  In which case getting a single
> openvpn running on an aws account could cost as little as a few
> dollars and circumvent many of the risk barometers based on source ip.


>
> >
> >
> > It does depend on what level of protection you are looking for. If it's
> for
> > a web application and you're trying to block out script kiddies and other
> > people looking for easy targets the rules doesn't have to be that
> complex.
> >
>
> Sure, but I don't think KC (or any authentication system) is going to
> stop a script kiddie.  The vulnerabilities they are generally going
> after are known exploits that haven't been patched and don't require
> authentication.  Just watch the logs for a known wordpress site and
> you won't see any requests for authentication from trollers (unless
> its with a specific exploit).  You'll see reams of trying to hit
> wp-admin with known exploits to bypass authentication all-together.
>

It's certainly not going to stop attacks going after known exploits. The
only real defense against that is limiting what's exposed and making sure
everything that is exposed always has the latest security patches. The
latter being one good reason for using a supported product rather than a
community project as you are able to get patches to older versions as well
as retrieve patches prior to the vulnerabilities being made public.

Adaptive authentication could for instance stop someone trying to use
common passwords with a list of known usernames. We have a rather naive
brute force protection in Keycloak that prevents that to some degree, but
it's far from sophisticated enough. For example it prevents many guesses to
one user, but not few guesses to many users. However, that would more
likely be the job of a intrusion detection system and firewalls to stop
those type of attacks in either case.


>
> Even looking at the articles mentioned, everything is theoretical.
> Adaptive authentication has been around for at least 8-10 years, you'd
> think if it were used to great success there would be more success
> stories rather then theories.  The new part they point out is the
> addition of machine learning to the process to make more intelligent
> decisions, which makes sense.  Something like Google's new captcha
> system.  KC would make a great integration tool for something like
> that.
>

You're right. Simple rules like an IP range are just not going to cut it.
Much more complex and intelligent processing of data is required. If the
rules are to defensive you also end up blocking legitimate users. In which
case you need a way for the legitimate user to prove they are who they say
you are. In which case you can send a mail or even use Google's reCAPTCHA.
Even sending an email when you've detected a login from a new machine is
useful to at least detect malicious access.

One thing we should at least do is to add a device cookie which includes
the user-id that is signed with the realm key. This would allow us to
identify a device that has been used before. If we detect a new device we
can introduce options such as send an email to verify the device, display a
reCAPTCHA or even simply send an email to the user to notify about the
login.


>
>
> ps: great conversation, really enjoy these types of discussions
>

+1000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160830/e1f72690/attachment.html 


More information about the keycloak-dev mailing list