[keycloak-dev] Improved ToTP Security example

Thomas Darimont thomas.darimont at googlemail.com
Mon Mar 14 16:27:47 EDT 2016


Hello,

the guys from projectlombok build an example application (see [0]) for ToTP
based
multi-factor authentication which showed at the Javaland 2016 conference in
Germany last week.

In this app they demoed an interesting security feature:

if a user enters a wrong ToTP code (or a far off one) they require the user
to
enter 3 consecutive valid ToTP codes - although I can imagine that this is
a bit annoying
for the user it nevertheless could add an additional level of security to
the
ToTP authentication mechanism.

They show the following message if a user entered a wrong / far-off ToTP
token:

"Due to entering a wrong TOTP confirmation code, you now need to enter 3
consecutive codes
so that we can confirm you're not just guessing codes, and detect issues
with your verification device's clock."

Perhaps keycloak could add such a feature as well.

Cheers,
Thomas

[0] - https://github.com/rzwitserloot/totp-example
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160314/54d3c020/attachment.html 


More information about the keycloak-dev mailing list