Re: [keycloak-dev] Why do I have to enter the OTP?
On 1/14/2015 2:36 AM, Juraci Paixão Kröhling wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/13/2015 05:11 PM, Bill Burke wrote:
> Why does a user have to enter in the OTP generated by their mobile
> device? Wouldn't it be cooler if the steps were:
>
> 1. Enter in username password in the browser 2. Browser blocks and
> wait for... 3. Press a button on your OTP iphone app 4. iphone app
> sends an HTTP message to Keycloak with username and generated OTP
> (in background) 5. Keycloak sees if a browser app is waiting for
> OTP verification, then verifies OTP if so.
How do you ensure that this browser is the same as the real user, and
not from an attacker?
The browser has correctly entered in a password. There would be a
timeout for the browser blocking/waiting for the background OTP transmit.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com