[keycloak-dev] Improved ToTP Security example
Thomas Darimont
thomas.darimont at googlemail.com
Mon Mar 14 16:27:47 EDT 2016
Hello,
the guys from projectlombok build an example application (see [0]) for ToTP
based
multi-factor authentication which showed at the Javaland 2016 conference in
Germany last week.
In this app they demoed an interesting security feature:
if a user enters a wrong ToTP code (or a far off one) they require the user
to
enter 3 consecutive valid ToTP codes - although I can imagine that this is
a bit annoying
for the user it nevertheless could add an additional level of security to
the
ToTP authentication mechanism.
They show the following message if a user entered a wrong / far-off ToTP
token:
"Due to entering a wrong TOTP confirmation code, you now need to enter 3
consecutive codes
so that we can confirm you're not just guessing codes, and detect issues
with your verification device's clock."
Perhaps keycloak could add such a feature as well.
Cheers,
Thomas
[0] - https://github.com/rzwitserloot/totp-example
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160314/54d3c020/attachment.html
More information about the keycloak-dev
mailing list