[security-dev] managing OTP
Anil Saldhana
Anil.Saldhana at redhat.com
Mon Aug 12 22:31:49 EDT 2013
On 08/12/2013 08:38 AM, Pedro Igor Silva wrote:
> ----- Original Message -----
>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
>> To: security-dev at lists.jboss.org
>> Sent: Monday, August 12, 2013 10:23:07 AM
>> Subject: Re: [security-dev] managing OTP
>>
>> On 08/12/2013 08:20 AM, Bill Burke wrote:
>>> On 8/12/2013 6:19 AM, Pedro Igor Silva wrote:
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>> To: security-dev at lists.jboss.org
>>>>> Sent: Sunday, August 11, 2013 8:58:27 AM
>>>>> Subject: [security-dev] managing OTP
>>>>>
>>>>> There's a few issues with managing credentials. The first is, there is
>>>>> no way to remove a credential. This is essential to TOTP as you may end
>>>>> up with a lost or obsolete device.
>>>>>
>>>>> https://issues.jboss.org/browse/PLINK-236
>>>>>
>>>> I missed that too and have discussed that with Shane a long time ago. The
>>>> idea is to have a history of all account's credentials.
>>>>
>>> The reason for this is?
>>>
>>>> If a devices becomes obsolete, you just set expiration date.
>>>>
>>> Its not just TOTP, same with password. Every time a user has a lost
>>> password two new obsolete ones are added to the database: temporary
>>> one, then a password change. Maybe not such a big deal with a few
>>> users, but when you get to tens, hundreds of thousands of users, won't
>>> this kind of be a problem?
>> There will be thousands of users for PicketLink IDM. As Bolek can
>> attest, PL 1.x IDM had that usage.
>> Pedro, lets review this password/credential issue.
>>
> Let's do this.
During discussion this morning, we thought of the following:
configurable history of passwords (0, 1, 10,20 to all).
>
>>>>> THe 2nd is that for TOTP, you will want to check every device on a
>>>>> credential validation rather than just one:
>>>>>
>>>>> https://issues.jboss.org/browse/PLINK-237
>>>>>
>>>>> Our own VPN allows me to set up multiple tokens. I have one on my
>>>>> iphone and ipad just in case I lose one or the other. OUr VPN allows me
>>>>> to use either to login in.
>>>>>
>>>> Is not a valid option you iterate over user's devices and try each one ?
>>>>
>>> Sure, this is why this is an enhancement.
>>>
>>>
More information about the security-dev
mailing list