Re: [keycloak-dev] Why do I have to enter the OTP?
I think we'd need some mechanism in place so the user knows he initiated the request.
Keycloak could for example display a random phrase, for example "RED SHOE" which
would also be displayed on the mobile. Banks in Norway use a similar mechanism.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 14 January, 2015 7:12:37 PM
Subject: Re: [keycloak-dev] Why do I have to enter the OTP?
On 1/14/2015 2:36 AM, Juraci Paixão Kröhling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/13/2015 05:11 PM, Bill Burke wrote:
>> Why does a user have to enter in the OTP generated by their mobile
>> device? Wouldn't it be cooler if the steps were:
>>
>> 1. Enter in username password in the browser 2. Browser blocks and
>> wait for... 3. Press a button on your OTP iphone app 4. iphone app
>> sends an HTTP message to Keycloak with username and generated OTP
>> (in background) 5. Keycloak sees if a browser app is waiting for
>> OTP verification, then verifies OTP if so.
>
> How do you ensure that this browser is the same as the real user, and
> not from an attacker?
>
The browser has correctly entered in a password. There would be a
timeout for the browser blocking/waiting for the background OTP transmit.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev