Interesting ! 
A few questions (and sorry for maybe the silly questions) : 

* In the gist, it's mentioned that the secret is stored in the Session Local, a secret is supposed to be reused, right ? But with session Local, the secret will be deleted after each session, did you maybe mean Local Storage ? Or does the secret is passed at each new session (which feels strange...) ?

* If the secret is stored on the browser and can an user login on this webapp when using another device (has to register again) ?

* The secret is passed over the network the first time, isn't that dangerous ;) ?

* Option 4, with behind the scene flow, avoid the users to switch between an OTP and a login screen, right ? That seems a nice option

* Is something like image based authentication maybe an option to investigate (identify the cat, the boat etc ...) http://www.marketwire.com/press-release/Confident-Technologies-Delivers-Image-Based-Multifactor-Authentication-Strengthen-Passwords-1342854.htm 

Sebi



On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <matzew@apache.org> wrote:
Nice!!!


On Wednesday, April 24, 2013, Bruno Oliveira wrote:
Morning slackers, I had a meeting with Kris, Luke and Passos about the painless way to provide an OTP implementation for JavaScript.

https://gist.github.com/abstractj/d618faceee388a9d403a

Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2 & 3 would provide bad user experience.

I'll start to file some Jiras to myself, if you have any addition, let me know.


--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile



_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev


--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev