On 8/19/2013 8:52 AM, Gabriel Cardoso wrote:
Very nice Stian!
> * When a user first registers there will be a checkbox to enable TOTP if the users
wants to - if TOTP is required by the realm this checkbox will always be enabled (and the
user won't be able to change it)
> * After clicking register the user is forwarded to the configure TOTP page (in user
account management)
> * If a user doesn't complete the above form, or a user registered prior to totp
being set as required for the realm, when a user tries to login the user is forwarded to
the configure TOTP page
> * The TOTP page should list out the available TOTP providers (ATM only Google
authenticator is supported) and show instructions for the user to configure it. A user
should be required to enter a valid authenticator code to enable TOTP
>
> Later a user can view the TOTP settings for his account through the user account
management. If totp is not required by the realm the user can also remove the totp. A user
can always change the totp, again this required providing a valid authenticator code.
This flow sounds good to me.
Yes. +1 on the flow.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com