[keycloak-dev] Why do I have to enter the OTP?

Juraci Paixão Kröhling juraci at kroehling.de
Wed Jan 14 02:36:54 EST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/13/2015 05:11 PM, Bill Burke wrote:
> Why does a user have to enter in the OTP generated by their mobile
>  device?  Wouldn't it be cooler if the steps were:
> 
> 1. Enter in username password in the browser 2. Browser blocks and
> wait for... 3. Press a button on your OTP iphone app 4. iphone app
> sends an HTTP message to Keycloak with username and generated OTP
> (in background) 5. Keycloak sees if a browser app is waiting for
> OTP verification, then verifies OTP if so.

How do you ensure that this browser is the same as the real user, and
not from an attacker?

> 6. Browser unblocks and lets user in.
> 
> Now, the user doesn't ever have to enter the OTP (and mess it up
> like I do all the time).  They just need their mobile device.

I haven't seen any mention of SQRL on this list yet, so, if you are
looking for a way to make the login process "easier" to the final user
(easier being veeery subjective here), then this might be of interest:
https://www.grc.com/sqrl/sqrl.htm

- - Juca.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUthyWAAoJEDnJtskdmzLMU7cIAIQjTD3mMP2FqIpy/0tc82rs
jgjNqZbtKDIMbBPPhSs0jMIoVfqSY/2ybIxMLpXBW2kNLKxVKrz6mY7bbifRlXbK
uvDh8t6LXM45Q6sEetmnTCgxnD1AtbkypJh0RZH6KXUzshQVPqfPaPqCz79p5V32
87XnAUU9hFXL4ECOFSKHOg8KZIkXYwFZb72MmjPWkh6/m85VkDeLvSRtFYczobJZ
Joe71n/rhm+G+pM2uq8jONslKQeqvIluzp6tw3l0CVpez8R/KI/yA/4rnhd4Lj5m
Dkl/0Gha/Q50nyswTAM22jrN8StXvjARCCH8RmqX6DdB6fADCFTVtzloa44WcNM=
=OFPT
-----END PGP SIGNATURE-----


More information about the keycloak-dev mailing list