Keycloak for External user authentication and auth
praneet pyati
Request to help on this matter where in we want to query if the below security requirements are supported by Keycloak
1. Risk Based Authentication
- Capability to build user profile capturing some
attributes such as "Device Fingerprint, IP address, User Agent, etc."
- Capability to calculate risk score for the user
log-in request based on different parameters/criteria.
- Capability to configure policies/access rules based
on the built-in user profile & calculated risk score to take an action such
as blocking the user/challenging the user.
- Capability to push notification to the mobile
application notifying the user with any trials to access his profile and give
him the option to grant the access or deny it
2. Enforce Security Measures
- Enforces complex passwords (alphanumeric
plus special characters with at least one Upper Case char, one Lower Case char.
- Enforce configurable length for the password
(minimum & maximum)
- Enforces a password history (no of passwords that
are remembered and cannot be repeated) of at least 5 passwords.
- Enforces a configurable password expiry period.
- Disallows passwords from being the same as the User
ID.
- Enforces passwords masking. Verify that all password
fields do not echo the user’s password when it is entered.
- Enforces user profile lock out with configurable
time frame after configurable incorrect passwords attempts. If the user re
invokes the application, the counter must not be reset (zeroized).
- The current password must always be asked to users
for password change functionalities.
- Use of secret/security question to enable the users
reset their password in case of forgotten
- Ensure that secret questions strong enough to
protect the application.
- Salt value must be used as well by the generation of
password hashes.
- A common message must be used for authentication
failures to prevent user enumeration attacks. An example of such a message would
be "Invalid Credentials".
- Ensure that all authentication challenges, whether
successful or failed, should respond in the same average response time
- All successful and unsuccessful authentication
attempts and access attempts to resources must be logged.
- Upon Successful log-on, application displays The
last log-on date for successful attempts The last log-on time for successful
attempts The last log-on date for unsuccessful attempts The last logon time for
unsuccessful attempts The number of unsuccessful attempts Logged in User Name
(Not User ID)
- Ensure that request throttling or Captcha is in
place to prevent automated attacks against common authentication attacks such
as brute force attacks or denial of service attacks.
In addition to the integration with OneSpan as
multi-factor authentication provider