On Wed, May 1, 2013 at 4:28 PM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
On Wednesday, May 1, 2013 at 10:01 AM, Sebastien Blanc wrote:
> Interesting !
> A few questions (and sorry for maybe the silly questions) :
>
> * In the gist, it's mentioned that the secret is stored in the Session
Local, a secret is supposed to be reused, right ? But with session Local,
the secret will be deleted after each session, did you maybe mean Local
Storage ? Or does the secret is passed at each new session (which feels
strange...) ?
>
>
> * If the secret is stored on the browser and can an user login on this
webapp when using another device (has to register again) ?
Kris nailed these questions.
>
> * The secret is passed over the network the first time, isn't that
dangerous ;) ?
Sure! Everything in the world is dangerous, even 2 factor authentication (
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html) and
I'm aware of it. We already have a discussion with iOS team , because the
secret is sent through the network. But QRCode scanners would be complex
into iOS land, we decided to have working code and improve it later.
How the secret will be provided is not a big deal to the initial release,
my goals are:
- Generate the secret
- Generate valid OTPs
At the end of the day, developers will choose how they will provide the
secret: images, captchas, voice recognition, piece of paper. We're just
trying to provide examples about how to send it.
If you look at aerogear-otp-java there's no QRCode there and that's the
idea, you choose.
>
>
> * Option 4, with behind the scene flow, avoid the users to switch
between an OTP and a login screen, right ? That seems a nice option
>
> * Is something like image based authentication maybe an option to
investigate (identify the cat, the boat etc ...)
http://www.marketwire.com/press-release/Confident-Technologies-Delivers-I...
Looks really interesting Sebi, I didn't get a chance to test anything
close to it. You can add features, comments and concerns here if you want
https://github.com/aerogear/aerogear.org/pull/56
>
>
Sure I will try to update the PR, I also find on this same site this demo,
looks nice
http://confidenttechnologies.com/demos/mobile-authentication-demo
> Sebi
Thanks for your review.
>
>
>
> On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <matzew(a)apache.org(mailto:
matzew(a)apache.org)> wrote:
> > Nice!!!
> >
> >
> > On Wednesday, April 24, 2013, Bruno Oliveira wrote:
> > > Morning slackers, I had a meeting with Kris, Luke and Passos about
the painless way to provide an OTP implementation for JavaScript.
> > >
> > >
https://gist.github.com/abstractj/d618faceee388a9d403a
> > >
> > > Basically the scenarios 1 and 4 were chosen to be implemented.
Scenarios 2 & 3 would provide bad user experience.
> > >
> > > I'll start to file some Jiras to myself, if you have any addition,
let me know.
> > >
> > >
> > > --
> > > "The measure of a man is what he does with power" - Plato
> > > -
> > > @abstractj
> > > -
> > > Volenti Nihil Difficile
> > >
> > >
> > >
> > > _______________________________________________
> > > aerogear-dev mailing list
> > > aerogear-dev(a)lists.jboss.org
> > >
https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> >
> >
> > --
> > Matthias Wessendorf
> >
> > blog:
http://matthiaswessendorf.wordpress.com/
> > sessions:
http://www.slideshare.net/mwessendorf
> > twitter:
http://twitter.com/mwessendorf
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
> >
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev