Login using random virtual keyboard to a Banking App

[jaocamp]

I have a Banking App in operation and the login is done on the user's side using a random virtual keyboard. We are looking at Kratos to replace our identity and user management and we need to validate how to implement this solution.

The solution involves generating a random number pad when the user opens the Login screen. The user types the ranges that represent his password and this information is sent to the backend.
For example: A 6-digit password that is 123456 is sent to the backend as "password": "5-1, 4-2, 3-8, 4-2, 5-1, 7-6 "

In a very simple way, when the request arrives at our authorization server to validate the login, we carry out the following steps.

• We generate the 64 password possibilities from the random keyboard ranges.
• We validate in parallel if any of the 64 possibilities match the password registered by the user.
• We return the access_token for the App to authorize the entry and use it to perform the following operations within the account.

Is there any way to implement this flow using Kratos?

Below is an alternative that we have considered and discarded:

Implement an adapter in front of Kratos that performs the generation of the 64 password possibilities and call them one by one to validate in the current Kratos login flow.
We would have an overload of http and in Kratos instances because at each login up to 64 requests could be executed for login validation. Furthermore, Kratos could begin to identify this action as a brute force attack.

[vinckr]

Hello @rafaelcam

Sorry for the late response!
Did you make any progress in this issue?
This should be possible, but I am not sure how to actually implement it. Maybe @zepatrik has an idea?

[jaocamp]

I haven't made any progress @vinckr, we are using our own solution as a proxy before Kratos to test all password possibilities currently.