[aerogear-dev] OTP.js
Bruno Oliveira
bruno at abstractj.org
Wed May 1 10:28:58 EDT 2013
On Wednesday, May 1, 2013 at 10:01 AM, Sebastien Blanc wrote:
> Interesting !
> A few questions (and sorry for maybe the silly questions) :
>
> * In the gist, it's mentioned that the secret is stored in the Session Local, a secret is supposed to be reused, right ? But with session Local, the secret will be deleted after each session, did you maybe mean Local Storage ? Or does the secret is passed at each new session (which feels strange...) ?
>
>
> * If the secret is stored on the browser and can an user login on this webapp when using another device (has to register again) ?
Kris nailed these questions.
>
> * The secret is passed over the network the first time, isn't that dangerous ;) ?
Sure! Everything in the world is dangerous, even 2 factor authentication (http://www.schneier.com/blog/archives/2005/03/the_failure_of.html) and I'm aware of it. We already have a discussion with iOS team , because the secret is sent through the network. But QRCode scanners would be complex into iOS land, we decided to have working code and improve it later.
How the secret will be provided is not a big deal to the initial release, my goals are:
- Generate the secret
- Generate valid OTPs
At the end of the day, developers will choose how they will provide the secret: images, captchas, voice recognition, piece of paper. We're just trying to provide examples about how to send it.
If you look at aerogear-otp-java there's no QRCode there and that's the idea, you choose.
>
>
> * Option 4, with behind the scene flow, avoid the users to switch between an OTP and a login screen, right ? That seems a nice option
>
> * Is something like image based authentication maybe an option to investigate (identify the cat, the boat etc ...) http://www.marketwire.com/press-release/Confident-Technologies-Delivers-Image-Based-Multifactor-Authentication-Strengthen-Passwords-1342854.htm
Looks really interesting Sebi, I didn't get a chance to test anything close to it. You can add features, comments and concerns here if you want https://github.com/aerogear/aerogear.org/pull/56
>
>
> Sebi
Thanks for your review.
>
>
>
> On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <matzew at apache.org (mailto:matzew at apache.org)> wrote:
> > Nice!!!
> >
> >
> > On Wednesday, April 24, 2013, Bruno Oliveira wrote:
> > > Morning slackers, I had a meeting with Kris, Luke and Passos about the painless way to provide an OTP implementation for JavaScript.
> > >
> > > https://gist.github.com/abstractj/d618faceee388a9d403a
> > >
> > > Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2 & 3 would provide bad user experience.
> > >
> > > I'll start to file some Jiras to myself, if you have any addition, let me know.
> > >
> > >
> > > --
> > > "The measure of a man is what he does with power" - Plato
> > > -
> > > @abstractj
> > > -
> > > Volenti Nihil Difficile
> > >
> > >
> > >
> > > _______________________________________________
> > > aerogear-dev mailing list
> > > aerogear-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> >
> >
> > --
> > Matthias Wessendorf
> >
> > blog: http://matthiaswessendorf.wordpress.com/
> > sessions: http://www.slideshare.net/mwessendorf
> > twitter: http://twitter.com/mwessendorf
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org (mailto:aerogear-dev at lists.jboss.org)
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org (mailto:aerogear-dev at lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
More information about the aerogear-dev
mailing list