[keycloak-dev] Usability: Improve screen for setup TOTP

乗松隆志 / NORIMATSU,TAKASHI takashi.norimatsu.ws at hitachi.com
Sun Nov 24 23:39:28 EST 2019 

Hello,

As Marek said, it seems not to be possible to retrieve a webauthn authenticator's information on its registration. Please refer to the section "Public Key Credential - Managed Information on Public Key Credential - Metadata - Metadata candidates consideration" of design document (https://github.com/keycloak/keycloak-community/blob/master/design/web-authn-authenticator.md).

Regards,
Takashi Norimatsu
Hitachi, Ltd.

From: Marek Posolda <mposolda at redhat.com>
Sent: Friday, November 22, 2019 8:38 PM
To: Jan Lieskovsky <jlieskov at redhat.com>; Stian Thorgersen <stian at redhat.com>
Cc: keycloak-dev at lists.jboss.org; 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws at hitachi.com>
Subject: [!]Re: [keycloak-dev] Usability: Improve screen for setup TOTP

On 22. 11. 19 12:13, Jan Lieskovsky wrote:


On Fri, Nov 22, 2019 at 11:37 AM Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:
Auto-generated labels like "Phone 1", etc. just looks stupid. I would
rather make the label optional for the first one, but mandatory for the
second one.

I like this approach. Should we use some base / template name for the first one,
something like "Default one-time token", rather than just allow blank name?
Yes, so if "device name" will be optional (or even not present) for the first OTP, and we don't want to auto-generate anything, then we can always end in situations when some of the OTP doesn't have label. Then during authentication, display nothing or display UUID seems to be even more stupid than display something auto-generated like "Phone 1" IMO :) So question is what to display? Not sure that "Default" works, as the OTP without label doesn't necessarily be the default one... Right now, I can't come with anything better than "Phone 1" TBH... ;)



A second one can only be added through the account console
anyways and the users can then add a label to the first one if they didn't
already do it.

Then can add or should be required to add?
Yes, it will be nice if we can "force" user to add label to first OTP after he registers second OTP. But I doubt it will be possible to do it in nice and friendly way...



For OTP I would consider not asking for a label for the
first one. For WebAuthn I would always ask for one. By the way doesn't the
WebAuthn registration include details about the device? Can't the device
name from that be used as the label?

It's possible. If (re)-using this information, should we ask the user for approval to be
able to use it? (not to possibly leak something, they wouldn't want to be used) Or just use it?

I think it's not reliably possible to retrieve details about device from the WebAuthn registration. At least in a way that device info is possible to use as a label. CCing Takashi Norimatsu, who can possibly confirm. I agree that label should be mandatory during WebAuthn registration and it is how it works today. Also Google works this way and requires some label to be added AFAIK.

Marek


and you are right. UA parser doesn't help as most will probably register
from their desktop, not the phone, so would be the wrong device name.

Device name or Phone name, either works to be honest. I'd say Phone is
better as 99% will use an app on a phone, not on the desktop, but okay with
Device name as well.

In the new account console it shouldn't display "Device name", but rather
just have it as a label next to the credential-name, and it should use
something like cards, not tables. So would be something like:

-------------------------------------------------------
Authenticator app [Samsung]        [default]
-------------------------------------------------------
Authenticator app [My tablet]
-------------------------------------------------------
Security key [YubiCo]
-------------------------------------------------------

Similar here, if we are able somehow to extract the information in the square brackets
from the underlying device automagically, should we ask the user for the approval to use it?
(since it would be displayed on the following auth screens later)





On Fri, 22 Nov 2019 at 10:56, Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>> wrote:

> On 22. 11. 19 10:36, Stian Thorgersen wrote:
>
> For "Device name" field. What about "Phone name" and prefilling it with
> the name of the phone? We have the UA parser thing right so can just use
> the value from that?
>
> Hmm, but UA parser is used for parsing requests sent to Keycloak server
> AFAIK? And in case of OTP, the phone doesn't send any requests and doesn't
> directly communicate with Keycloak server. So not sure how UA parser could
> help?
>
> Marek
>
>
> On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
> wrote:
>
>> +1 "To try another way", but that should only be displayed if the user is
>> requested to setup two-factor and there are more choices. If a user has
>> selected to enable OTP through the account console (AIA) it should not be
>> displayed.
>>
>> On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>> wrote:
>>
>>> On 21. 11. 19 12:02, Marek Posolda wrote:
>>> >
>>> > I want to ask some feedback about the screen for the "Setup TOTP" .
>>> > I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168<https://clicktime.symantec.com/36h3ZEmhVdwmTW8jGa7GoQp7Vc?u=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-12168> ,
>>> > which contains some screenshot of how currently the screen for the
>>> > required action for "Setup OTP" looks like. In other words, this is
>>> > displayed to the user at the end of the authentication when he has
>>> > "Setup TOTP" required action on him.
>>> >
>>> > Few questions:
>>> >
>>> >   * Is the "Device name" appropriate label? Would something like
>>> >     "Authenticator App Label" be better?
>>> >
>>> >   * Should it be more emphasized that "Authenticator App Label" is not
>>> >     mandatory? IMO it is currently not very clear. Also there is
>>> >     nothing in the help-text about this input field. Maybe we can add
>>> >     another sentence to point 3 like "Optionally provide Authenticator
>>> >     App Label as a reference." I am not very happy with that sentence.
>>> >     Any better ideas?
>>> >
>>> >   * Alternatively we can use separate screen for providing the
>>> >     "Authenticator App Label" . In other words, there will be just
>>> >     single input for OTP code and than once user clicks "Submit" and
>>> >     OTP code is successfully verified, there will be another screen
>>> >     where he can provide "Authenticator App Label" . It seems Google
>>> >     is using separate screen for providing labels when user register
>>> >     Security Key.
>>> >
>>> >   * Any better ideas?
>>> >
>>> >   * We can possibly improve the old account console in similar manner.
>>> >     Currently it looks like in screenshot setup-otp-account-mgmt.png .
>>> >     Maybe we can at least change the label for "Device name" and also
>>> >     add another sentence to the help text?
>>> >
>>> One more point: At the bottom of the page for register TOTP, we possibly
>>> need the link "Try another way" or something like that. This link will
>>> be displayed just if user is currently trying to "Register 2nd factor
>>> credential" because he is required to do so, and he has some more
>>> alternative credential types to register (EG. WebAuthn).
>>>
>>> Marek
>>>
>>> > Thanks,
>>> >
>>> > Marek
>>> >
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev<https://clicktime.symantec.com/3JwgQ7BtYMhUXxZsHUjQ6ZT7Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev>
>>>
>>>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev<https://clicktime.symantec.com/3JwgQ7BtYMhUXxZsHUjQ6ZT7Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev>

More information about the keycloak-dev mailing list