9:28 a.m.
On Wednesday, May 1, 2013 at 10:01 AM, Sebastien Blanc wrote:
Interesting !
A few questions (and sorry for maybe the silly questions) :
* In the gist, it's mentioned that the secret is stored in the Session Local, a
secret is supposed to be reused, right ? But with session Local, the secret will be
deleted after each session, did you maybe mean Local Storage ? Or does the secret is
passed at each new session (which feels strange...) ?
* If the secret is stored on the browser and can an user login on this webapp when using
another device (has to register again) ?
Kris nailed these questions.
* The secret is passed over the network the first time, isn't that dangerous ;) ?
Sure! Everything in the world is dangerous, even 2 factor authentication
(http://www.schneier.com/blog/archives/2005/03/the_failure_of.html) and I'm aware of
it. We already have a discussion with iOS team , because the secret is sent through the
network. But QRCode scanners would be complex into iOS land, we decided to have working
code and improve it later.
How the secret will be provided is not a big deal to the initial release, my goals are:
- Generate the secret
- Generate valid OTPs
At the end of the day, developers will choose how they will provide the secret: images,
captchas, voice recognition, piece of paper. We're just trying to provide examples
about how to send it.
If you look at aerogear-otp-java there's no QRCode there and that's the idea, you
choose.
* Option 4, with behind the scene flow, avoid the users to switch between an OTP and a
login screen, right ? That seems a nice option
* Is something like image based authentication maybe an option to investigate (identify
the cat, the boat etc ...)
http://www.marketwire.com/press-release/Confident-Technologies-Delivers-I...
Looks really interesting Sebi, I didn't get a chance to test anything close to
it. You can add features, comments and concerns here if you want
https://github.com/aerogear/aerogear.org/pull/56
Sebi
Thanks for your review.
On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <matzew(a)apache.org
(mailto:matzew@apache.org)> wrote:
> Nice!!!
>
>
> On Wednesday, April 24, 2013, Bruno Oliveira wrote:
> > Morning slackers, I had a meeting with Kris, Luke and Passos about the painless
way to provide an OTP implementation for JavaScript.
> >
> > https://gist.github.com/abstractj/d618faceee388a9d403a
> >
> > Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2
& 3 would provide bad user experience.
> >
> > I'll start to file some Jiras to myself, if you have any addition, let me
know.
> >
> >
> > --
> > "The measure of a man is what he does with power" - Plato
> > -
> > @abstractj
> > -
> > Volenti Nihil Difficile
> >
> >
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
https://lists.jboss.org/mailman/listinfo/aerogear-dev