[keycloak-dev] Two Factor Authentication via Email.

Thomas Darimont thomas.darimont at googlemail.com
Mon Jan 11 16:15:33 EST 2016


I'm currently working on a PR that provides "Two factor authentication via
email" https://issues.jboss.org/browse/KEYCLOAK-240.

My current implementation comes with a custom EmailCodeAuthenticator
that generates a short code String in the challenge(...) Method and
sends an email to the email address that is configured for the current user.

The user can then copy and paste the code into an input field, similar
to OTP codes are handled. If the user entered the wrong code, a new
email is sent to the user's email address.

The email code is saved as a user level credential.

I wonder whether this is the right approach or whether it would be better
to allow the user to regenerate the code on demand instead of
regenerating it every time?

For the former I'd have to provide a REST endpoint similar to what happens
for verifying an email
during registration - where should this be placed?

For sending the actual email I'm currently using a EmailSenderProvider,
however I think a EmailTemplateProvider might be more appropriate ;-)
May I simply add a method to the EmailTemplateProvider interface?

Btw. I think this would be a good base for having an SMS based 2nd factor
authenticator, as requested here:
https://issues.jboss.org/browse/KEYCLOAK-241

It would make sense to have the mobile phone number as a first-class user
attribute and showing it on the profile page by default instead of just
having it only in the data model.

Another point that comes to my mind is that I could make sense to specify
an email code policy in the same way OTP policies are supported. This could
then be used to differentiate between email
codes that are usually handled via copy&paste whereas codes
that come via SMS are usually typed in by hand and should therefore
be somewhat short ;-)

My current WIP can be found here:
https://github.com/thomasdarimont/keycloak/commits/issue/KEYCLOAK-240-2nd-factor-auth-via-email
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160111/9091aff3/attachment.html 


More information about the keycloak-dev mailing list