[security-dev] managing OTP

Pedro Igor Silva psilva at redhat.com
Mon Aug 12 06:19:58 EDT 2013


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: security-dev at lists.jboss.org
> Sent: Sunday, August 11, 2013 8:58:27 AM
> Subject: [security-dev] managing OTP
> 
> There's a few issues with managing credentials.  The first is, there is
> no way to remove a credential.  This is essential to TOTP as you may end
> up with a lost or obsolete device.
> 
> https://issues.jboss.org/browse/PLINK-236
> 

I missed that too and have discussed that with Shane a long time ago. The idea is to have a history of all account's credentials.

If a devices becomes obsolete, you just set expiration date.

> THe 2nd is that for TOTP, you will want to check every device on a
> credential validation rather than just one:
> 
> https://issues.jboss.org/browse/PLINK-237
> 
> Our own VPN allows me to set up multiple tokens.  I have one on my
> iphone and ipad just in case I lose one or the other.  OUr VPN allows me
> to use either to login in.
> 

Is not a valid option you iterate over user's devices and try each one ?

> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> 


More information about the security-dev mailing list