<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, May 1, 2013 at 4:28 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im"><br>
<br>
On Wednesday, May 1, 2013 at 10:01 AM, Sebastien Blanc wrote:<br>
<br>
> Interesting !<br>
> A few questions (and sorry for maybe the silly questions) :<br>
><br>
> * In the gist, it's mentioned that the secret is stored in the Session Local, a secret is supposed to be reused, right ? But with session Local, the secret will be deleted after each session, did you maybe mean Local Storage ? Or does the secret is passed at each new session (which feels strange...) ?<br>
><br>
><br>
> * If the secret is stored on the browser and can an user login on this webapp when using another device (has to register again) ?<br>
</div>Kris nailed these questions.<br>
<div class="im">><br>
> * The secret is passed over the network the first time, isn't that dangerous ;) ?<br>
</div>Sure! Everything in the world is dangerous, even 2 factor authentication (<a href="http://www.schneier.com/blog/archives/2005/03/the_failure_of.html" target="_blank">http://www.schneier.com/blog/archives/2005/03/the_failure_of.html</a>) and I'm aware of it. We already have a discussion with iOS team , because the secret is sent through the network. But QRCode scanners would be complex into iOS land, we decided to have working code and improve it later.<br>
<br>
How the secret will be provided is not a big deal to the initial release, my goals are:<br>
<br>
- Generate the secret<br>
- Generate valid OTPs<br>
<br>
At the end of the day, developers will choose how they will provide the secret: images, captchas, voice recognition, piece of paper. We're just trying to provide examples about how to send it.<br>
<br>
If you look at aerogear-otp-java there's no QRCode there and that's the idea, you choose.<br>
<div class="im">><br>
><br>
> * Option 4, with behind the scene flow, avoid the users to switch between an OTP and a login screen, right ? That seems a nice option<br>
><br>
> * Is something like image based authentication maybe an option to investigate (identify the cat, the boat etc ...) <a href="http://www.marketwire.com/press-release/Confident-Technologies-Delivers-Image-Based-Multifactor-Authentication-Strengthen-Passwords-1342854.htm" target="_blank">http://www.marketwire.com/press-release/Confident-Technologies-Delivers-Image-Based-Multifactor-Authentication-Strengthen-Passwords-1342854.htm</a><br>
</div>Looks really interesting Sebi, I didn't get a chance to test anything close to it. You can add features, comments and concerns here if you want <a href="https://github.com/aerogear/aerogear.org/pull/56" target="_blank">https://github.com/aerogear/aerogear.org/pull/56</a><br>
><br>
><br></blockquote><div style>Sure I will try to update the PR, I also find on this same site this demo, looks nice <a href="http://confidenttechnologies.com/demos/mobile-authentication-demo">http://confidenttechnologies.com/demos/mobile-authentication-demo</a></div>
<div style><br></div><div style><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
> Sebi<br>
Thanks for your review.<br>
<div class="im">><br>
><br>
><br>
> On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <<a href="mailto:matzew@apache.org">matzew@apache.org</a> (mailto:<a href="mailto:matzew@apache.org">matzew@apache.org</a>)> wrote:<br>
> > Nice!!!<br>
> ><br>
> ><br>
> > On Wednesday, April 24, 2013, Bruno Oliveira wrote:<br>
> > > Morning slackers, I had a meeting with Kris, Luke and Passos about the painless way to provide an OTP implementation for JavaScript.<br>
> > ><br>
> > > <a href="https://gist.github.com/abstractj/d618faceee388a9d403a" target="_blank">https://gist.github.com/abstractj/d618faceee388a9d403a</a><br>
> > ><br>
> > > Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2 & 3 would provide bad user experience.<br>
> > ><br>
> > > I'll start to file some Jiras to myself, if you have any addition, let me know.<br>
> > ><br>
> > ><br>
> > > --<br>
> > > "The measure of a man is what he does with power" - Plato<br>
> > > -<br>
> > > @abstractj<br>
> > > -<br>
> > > Volenti Nihil Difficile<br>
> > ><br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > aerogear-dev mailing list<br>
> > > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> > > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Matthias Wessendorf<br>
> ><br>
> > blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
> > sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
> > twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
> ><br>
> > _______________________________________________<br>
> > aerogear-dev mailing list<br>
</div>> > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> (mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>)<br>
> > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
><br>
><br>
> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a> (mailto:<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>)<br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<div class=""><div class="h5"><br>
<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br></div></div>