<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On May 1, 2013, at 8:01 AM, Sebastien Blanc <<a href="mailto:scm.blanc@gmail.com">scm.blanc@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr">Interesting ! <div style="">A few questions (and sorry for maybe the silly questions) : </div><div style=""><br></div><div style="">* In the gist, it's mentioned that the secret is stored in the Session Local, a secret is supposed to be reused, right ? But with session Local, the secret will be deleted after each session, did you maybe mean Local Storage ? Or does the secret is passed at each new session (which feels strange...) ?</div></div></blockquote><div><br></div>I assume he meant the SessionLocal adapter for DataManager, using the localStorage side of it.<br><blockquote type="cite"><div dir="ltr">
<div style=""><br></div><div style="">* If the secret is stored on the browser and can an user login on this webapp when using another device (has to register again) ?</div></div></blockquote><div><br></div>Yes, I believe another registration would have to happen but is that any different then if I had 2 soft tokens for the VPN? The would both have to be registered, right?<br><blockquote type="cite"><div dir="ltr"><div style=""><br></div><div style="">* The secret is passed over the network the first time, isn't that dangerous ;) ?</div></div></blockquote><div><br></div>Yes, just like storing the secret in localStorage isn't exactly safe either. We're still exploring right now. I think Bruno plans to start putting some code together and then we'll review and see if we can find ways to make it more secure. JS is hard! ;)</div><div><blockquote type="cite"><div dir="ltr">
<div style=""><br></div><div style="">* Option 4, with behind the scene flow, avoid the users to switch between an OTP and a login screen, right ? That seems a nice option</div></div></blockquote><div><br></div>Agree<br><blockquote type="cite"><div dir="ltr"><div style=""><br></div><div style="">* Is something like image based authentication maybe an option to investigate (identify the cat, the boat etc ...) <a href="http://www.marketwire.com/press-release/Confident-Technologies-Delivers-Image-Based-Multifactor-Authentication-Strengthen-Passwords-1342854.htm">http://www.marketwire.com/press-release/Confident-Technologies-Delivers-Image-Based-Multifactor-Authentication-Strengthen-Passwords-1342854.htm</a> </div></div></blockquote><div><br></div>Hmmm, I didn't think about that. I like that much more than captcha. We would have to think about if we supply images, the app dev supplies them, both? I would be interested in exploring that … one issue though is that would not be friendly to the visually impaired so probably not the best option now that I think more about it. Maybe pairing with audio could be an option?</div><div><blockquote type="cite"><div dir="ltr">
<div style=""><br></div><div style="">Sebi</div><div style=""><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <span dir="ltr"><<a href="mailto:matzew@apache.org" target="_blank">matzew@apache.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Nice!!!<div class="HOEnZb"><div class="h5"><span></span><br><br>On Wednesday, April 24, 2013, Bruno Oliveira wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Morning slackers, I had a meeting with Kris, Luke and Passos about the painless way to provide an OTP implementation for JavaScript.<br>
<br>
<a href="https://gist.github.com/abstractj/d618faceee388a9d403a" target="_blank">https://gist.github.com/abstractj/d618faceee388a9d403a</a><br>
<br>
Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2 & 3 would provide bad user experience.<br>
<br>
I'll start to file some Jiras to myself, if you have any addition, let me know.<br>
<br>
<br>
--<br>
"The measure of a man is what he does with power" - Plato<br>
-<br>
@abstractj<br>
-<br>
Volenti Nihil Difficile<br>
<br>
<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a>aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</blockquote><br><br></div></div><span class="HOEnZb"><font color="#888888">-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
</font></span><br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br></div>
_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>https://lists.jboss.org/mailman/listinfo/aerogear-dev</blockquote></div><br></body></html>