Interesting !
A few questions (and sorry for maybe the silly questions) :
* In the gist, it's mentioned that the secret is stored in the Session Local, a secret is supposed to be reused, right ? But with session Local, the secret will be deleted after each session, did you maybe mean Local Storage ? Or does the secret is passed at each new session (which feels strange...) ?
I assume he meant the SessionLocal adapter for DataManager, using the localStorage side of it.
* If the secret is stored on the browser and can an user login on this webapp when using another device (has to register again) ?
Yes, I believe another registration would have to happen but is that any different then if I had 2 soft tokens for the VPN? The would both have to be registered, right?
* The secret is passed over the network the first time, isn't that dangerous ;) ?
Yes, just like storing the secret in localStorage isn't exactly safe either. We're still exploring right now. I think Bruno plans to start putting some code together and then we'll review and see if we can find ways to make it more secure. JS is hard! ;)
* Option 4, with behind the scene flow, avoid the users to switch between an OTP and a login screen, right ? That seems a nice option
Agree
Hmmm, I didn't think about that. I like that much more than captcha. We would have to think about if we supply images, the app dev supplies them, both? I would be interested in exploring that … one issue though is that would not be friendly to the visually impaired so probably not the best option now that I think more about it. Maybe pairing with audio could be an option?