[keycloak-user] Login success/failure constant time

DAVIES, Ben (NHS DIGITAL) ben.davies14 at nhs.net
Mon Mar 11 11:52:03 EDT 2019


Hi!


Just joined the list and looking for some answers RE: security features of Keycloak. I had a google about and a read of the docs but I couldn't find and answer to my question. Does Keycloak ensure that failed logins and successful logins take the same amount of time? I've been asked as part of an OWASP questionnaire (section V2.28 "Verify that all authentication challenges, whether successful or failed, should respond in the same average response time").


Does anyone know if this is the case, or ideally point to some documentation of this fact?


Cheers!

Ben


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail



More information about the keycloak-user mailing list