[keycloak-dev] Zero-knowledge proof of password?

Mark True mtrue at redhat.com
Tue Mar 7 20:35:58 EST 2017


I did a bit of looking for a non-interactive version of OTP, and I managed
to find this:

http://www.a100websolutions.in/otp-using-php-one-time-passwords/

I don't know if this answers your question, but I found it an interesting
read anyway!

Hope this helps!


On Tue, Mar 7, 2017 at 8:31 PM, Mark True <mtrue at redhat.com> wrote:

> I think the closest people have come to what you describe are things like
> FreeOTP or the RSA Firewall fobs.   These provide one way passwords that
> are based on "what you know" and do not require of transmitting a permanent
> password over cleartext.
>
> Hope this helps!
>
>
> On Tue, Mar 7, 2017 at 6:05 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> What does that even mean?  Keycloak's SSL mode can forbid non SSL
>> connections.  FYI, OIDC requires SSL.
>>
>>
>> On 3/7/17 4:22 PM, Peter K. Boucher wrote:
>> > Suppose you don't want your passwords transmitted in the clear after
>> SSL is
>> > terminated by a proxy.
>> >
>> >
>> >
>> > Has anyone developed a secure way for the client to prove they have the
>> > password, rather than transmitting it in the body of a post?
>> >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>


More information about the keycloak-dev mailing list