9:57 a.m.
Morning slackers, I had a meeting with Kris, Luke and Passos about the painless way to
provide an OTP implementation for JavaScript.
https://gist.github.com/abstractj/d618faceee388a9d403a
Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2 & 3 would
provide bad user experience.
I'll start to file some Jiras to myself, if you have any addition, let me know.
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
10:59 a.m.
Nice!!!
On Wednesday, April 24, 2013, Bruno Oliveira wrote:
Morning slackers, I had a meeting with Kris, Luke and Passos about
the
painless way to provide an OTP implementation for JavaScript.
https://gist.github.com/abstractj/d618faceee388a9d403a
Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2
& 3 would provide bad user experience.
I'll start to file some Jiras to myself, if you have any addition, let me
know.
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org <javascript:;>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
8:01 a.m.
Interesting !
A few questions (and sorry for maybe the silly questions) :
* In the gist, it's mentioned that the secret is stored in the Session
Local, a secret is supposed to be reused, right ? But with session Local,
the secret will be deleted after each session, did you maybe mean Local
Storage ? Or does the secret is passed at each new session (which feels
strange...) ?
* If the secret is stored on the browser and can an user login on this
webapp when using another device (has to register again) ?
* The secret is passed over the network the first time, isn't that
dangerous ;) ?
* Option 4, with behind the scene flow, avoid the users to switch between
an OTP and a login screen, right ? That seems a nice option
* Is something like image based authentication maybe an option to
investigate (identify the cat, the boat etc ...)
http://www.marketwire.com/press-release/Confident-Technologies-Delivers-I...
Sebi
On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <matzew(a)apache.org>wrote:
Nice!!!
On Wednesday, April 24, 2013, Bruno Oliveira wrote:
> Morning slackers, I had a meeting with Kris, Luke and Passos about the
> painless way to provide an OTP implementation for JavaScript.
>
> https://gist.github.com/abstractj/d618faceee388a9d403a
>
> Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios
> 2 & 3 would provide bad user experience.
>
> I'll start to file some Jiras to myself, if you have any addition, let me
> know.
>
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
8:09 a.m.
On May 1, 2013, at 8:01 AM, Sebastien Blanc <scm.blanc(a)gmail.com> wrote:
Interesting !
A few questions (and sorry for maybe the silly questions) :
* In the gist, it's mentioned that the secret is stored in the Session Local, a
secret is supposed to be reused, right ? But with session Local, the secret will be
deleted after each session, did you maybe mean Local Storage ? Or does the secret is
passed at each new session (which feels strange...) ?
I assume he meant the SessionLocal adapter for DataManager, using the localStorage side of
it.
* If the secret is stored on the browser and can an user login on this webapp when using
another device (has to register again) ?
Yes, I believe another registration would have to happen but is that any different then if
I had 2 soft tokens for the VPN? The would both have to be registered, right?
* The secret is passed over the network the first time, isn't that dangerous ;) ?
Yes, just like storing the secret in localStorage isn't exactly safe either. We're
still exploring right now. I think Bruno plans to start putting some code together and
then we'll review and see if we can find ways to make it more secure. JS is hard! ;)
* Option 4, with behind the scene flow, avoid the users to switch between an OTP and a
login screen, right ? That seems a nice option
Agree
* Is something like image based authentication maybe an option to investigate (identify
the cat, the boat etc ...)
http://www.marketwire.com/press-release/Confident-Technologies-Delivers-I...
Hmmm, I didn't think about that. I like that much more than captcha. We would have to
think about if we supply images, the app dev supplies them, both? I would be interested in
exploring that … one issue though is that would not be friendly to the visually impaired
so probably not the best option now that I think more about it. Maybe pairing with audio
could be an option?
Sebi
On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <matzew(a)apache.org> wrote:
Nice!!!
On Wednesday, April 24, 2013, Bruno Oliveira wrote:
Morning slackers, I had a meeting with Kris, Luke and Passos about the painless way to
provide an OTP implementation for JavaScript.
https://gist.github.com/abstractj/d618faceee388a9d403a
Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2 & 3 would
provide bad user experience.
I'll start to file some Jiras to myself, if you have any addition, let me know.
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
9:28 a.m.
On Wednesday, May 1, 2013 at 10:01 AM, Sebastien Blanc wrote:
Interesting !
A few questions (and sorry for maybe the silly questions) :
* In the gist, it's mentioned that the secret is stored in the Session Local, a
secret is supposed to be reused, right ? But with session Local, the secret will be
deleted after each session, did you maybe mean Local Storage ? Or does the secret is
passed at each new session (which feels strange...) ?
* If the secret is stored on the browser and can an user login on this webapp when using
another device (has to register again) ?
Kris nailed these questions.
* The secret is passed over the network the first time, isn't that dangerous ;) ?
Sure! Everything in the world is dangerous, even 2 factor authentication
(http://www.schneier.com/blog/archives/2005/03/the_failure_of.html) and I'm aware of
it. We already have a discussion with iOS team , because the secret is sent through the
network. But QRCode scanners would be complex into iOS land, we decided to have working
code and improve it later.
How the secret will be provided is not a big deal to the initial release, my goals are:
- Generate the secret
- Generate valid OTPs
At the end of the day, developers will choose how they will provide the secret: images,
captchas, voice recognition, piece of paper. We're just trying to provide examples
about how to send it.
If you look at aerogear-otp-java there's no QRCode there and that's the idea, you
choose.
* Option 4, with behind the scene flow, avoid the users to switch between an OTP and a
login screen, right ? That seems a nice option
* Is something like image based authentication maybe an option to investigate (identify
the cat, the boat etc ...)
http://www.marketwire.com/press-release/Confident-Technologies-Delivers-I...
Looks really interesting Sebi, I didn't get a chance to test anything close to
it. You can add features, comments and concerns here if you want
https://github.com/aerogear/aerogear.org/pull/56
Sebi
Thanks for your review.
On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <matzew(a)apache.org
(mailto:matzew@apache.org)> wrote:
> Nice!!!
>
>
> On Wednesday, April 24, 2013, Bruno Oliveira wrote:
> > Morning slackers, I had a meeting with Kris, Luke and Passos about the painless
way to provide an OTP implementation for JavaScript.
> >
> > https://gist.github.com/abstractj/d618faceee388a9d403a
> >
> > Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2
& 3 would provide bad user experience.
> >
> > I'll start to file some Jiras to myself, if you have any addition, let me
know.
> >
> >
> > --
> > "The measure of a man is what he does with power" - Plato
> > -
> > @abstractj
> > -
> > Volenti Nihil Difficile
> >
> >
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
https://lists.jboss.org/mailman/listinfo/aerogear-dev
12:37 p.m.
On Wed, May 1, 2013 at 4:28 PM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
On Wednesday, May 1, 2013 at 10:01 AM, Sebastien Blanc wrote:
> Interesting !
> A few questions (and sorry for maybe the silly questions) :
>
> * In the gist, it's mentioned that the secret is stored in the Session
Local, a secret is supposed to be reused, right ? But with session Local,
the secret will be deleted after each session, did you maybe mean Local
Storage ? Or does the secret is passed at each new session (which feels
strange...) ?
>
>
> * If the secret is stored on the browser and can an user login on this
webapp when using another device (has to register again) ?
Kris nailed these questions.
>
> * The secret is passed over the network the first time, isn't that
dangerous ;) ?
Sure! Everything in the world is dangerous, even 2 factor authentication (
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html) and
I'm aware of it. We already have a discussion with iOS team , because the
secret is sent through the network. But QRCode scanners would be complex
into iOS land, we decided to have working code and improve it later.
How the secret will be provided is not a big deal to the initial release,
my goals are:
- Generate the secret
- Generate valid OTPs
At the end of the day, developers will choose how they will provide the
secret: images, captchas, voice recognition, piece of paper. We're just
trying to provide examples about how to send it.
If you look at aerogear-otp-java there's no QRCode there and that's the
idea, you choose.
>
>
> * Option 4, with behind the scene flow, avoid the users to switch
between an OTP and a login screen, right ? That seems a nice option
>
> * Is something like image based authentication maybe an option to
investigate (identify the cat, the boat etc ...)
http://www.marketwire.com/press-release/Confident-Technologies-Delivers-I...
Looks really interesting Sebi, I didn't get a chance to test anything
close to it. You can add features, comments and concerns here if you want
https://github.com/aerogear/aerogear.org/pull/56
>
>
Sure I will try to update the PR, I also find on this same site this demo,
looks nice http://confidenttechnologies.com/demos/mobile-authentication-demo
> Sebi
Thanks for your review.
>
>
>
> On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <matzew(a)apache.org(mailto:
matzew(a)apache.org)> wrote:
> > Nice!!!
> >
> >
> > On Wednesday, April 24, 2013, Bruno Oliveira wrote:
> > > Morning slackers, I had a meeting with Kris, Luke and Passos about
the painless way to provide an OTP implementation for JavaScript.
> > >
> > > https://gist.github.com/abstractj/d618faceee388a9d403a
> > >
> > > Basically the scenarios 1 and 4 were chosen to be implemented.
Scenarios 2 & 3 would provide bad user experience.
> > >
> > > I'll start to file some Jiras to myself, if you have any addition,
let me know.
> > >
> > >
> > > --
> > > "The measure of a man is what he does with power" - Plato
> > > -
> > > @abstractj
> > > -
> > > Volenti Nihil Difficile
> > >
> > >
> > >
> > > _______________________________________________
> > > aerogear-dev mailing list
> > > aerogear-dev(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> >
> >
> > --
> > Matthias Wessendorf
> >
> > blog: http://matthiaswessendorf.wordpress.com/
> > sessions: http://www.slideshare.net/mwessendorf
> > twitter: http://twitter.com/mwessendorf
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org (mailto:aerogear-dev@lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
2:44 p.m.
sounds good!
Thanks for the update!
On Wed, Apr 24, 2013 at 4:57 PM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
Morning slackers, I had a meeting with Kris, Luke and Passos about
the
painless way to provide an OTP implementation for JavaScript.
https://gist.github.com/abstractj/d618faceee388a9d403a
Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2
& 3 would provide bad user experience.
I'll start to file some Jiras to myself, if you have any addition, let me
know.
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
4257
days inactive
4264
days old
6 comments
4 participants
participants (4)
-
Bruno Oliveira -
Kris Borchers -
Matthias Wessendorf -
Sebastien Blanc