[security-dev] managing OTP
Anil Saldhana
Anil.Saldhana at redhat.com
Mon Aug 12 09:23:07 EDT 2013
On 08/12/2013 08:20 AM, Bill Burke wrote:
>
> On 8/12/2013 6:19 AM, Pedro Igor Silva wrote:
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: security-dev at lists.jboss.org
>>> Sent: Sunday, August 11, 2013 8:58:27 AM
>>> Subject: [security-dev] managing OTP
>>>
>>> There's a few issues with managing credentials. The first is, there is
>>> no way to remove a credential. This is essential to TOTP as you may end
>>> up with a lost or obsolete device.
>>>
>>> https://issues.jboss.org/browse/PLINK-236
>>>
>> I missed that too and have discussed that with Shane a long time ago. The idea is to have a history of all account's credentials.
>>
> The reason for this is?
>
>> If a devices becomes obsolete, you just set expiration date.
>>
> Its not just TOTP, same with password. Every time a user has a lost
> password two new obsolete ones are added to the database: temporary
> one, then a password change. Maybe not such a big deal with a few
> users, but when you get to tens, hundreds of thousands of users, won't
> this kind of be a problem?
There will be thousands of users for PicketLink IDM. As Bolek can
attest, PL 1.x IDM had that usage.
Pedro, lets review this password/credential issue.
>>> THe 2nd is that for TOTP, you will want to check every device on a
>>> credential validation rather than just one:
>>>
>>> https://issues.jboss.org/browse/PLINK-237
>>>
>>> Our own VPN allows me to set up multiple tokens. I have one on my
>>> iphone and ipad just in case I lose one or the other. OUr VPN allows me
>>> to use either to login in.
>>>
>> Is not a valid option you iterate over user's devices and try each one ?
>>
> Sure, this is why this is an enhancement.
>
More information about the security-dev
mailing list