Re: [keycloak-dev] Why do I have to enter the OTP?

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Wednesday, 14 January, 2015 9:03:05 AM Subject: Re: [keycloak-dev] Why do I have to enter the OTP? Look at YubiKey and FIDO U2F ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-dev(a)lists.jboss.org > Sent: Tuesday, 13 January, 2015 5:11:09 PM > Subject: [keycloak-dev] Why do I have to enter the OTP? > > Why does a user have to enter in the OTP generated by their mobile > device? Wouldn't it be cooler if the steps were: > > 1. Enter in username password in the browser > 2. Browser blocks and wait for... > 3. Press a button on your OTP iphone app > 4. iphone app sends an HTTP message to Keycloak with username and > generated OTP (in background) > 5. Keycloak sees if a browser app is waiting for OTP verification, then > verifies OTP if so. > 6. Browser unblocks and lets user in. > > Now, the user doesn't ever have to enter the OTP (and mess it up like I > do all the time). They just need their mobile device. > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev