On Fri, Nov 22, 2019 at 10:55 AM Marek Posolda <mposolda(a)redhat.com> wrote:
On 22. 11. 19 10:30, Stian Thorgersen wrote:
>
>
> On Thu, 21 Nov 2019 at 12:07, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> I want to ask some feedback about the screen for the "Setup TOTP"
> . I've
> created JIRA
https://issues.jboss.org/browse/KEYCLOAK-12168 , which
> contains some screenshot of how currently the screen for the required
> action for "Setup OTP" looks like. In other words, this is
> displayed to
> the user at the end of the authentication when he has "Setup TOTP"
> required action on him.
>
> Few questions:
>
> * Is the "Device name" appropriate label? Would something like
> "Authenticator App Label" be better?
>
>
> I'm not too keen on either. Maybe "Phone name"?
That could be fine, but aren't also different possibilities for generate
OTP codes than sticking to "phone" ? The "Device name" is at least
slightly more generic, but I am not sure if it is the great label either...
What about 'Unique Phone Identifier' or 'Unique Access Identifier'? (for
the case
'Phone' is not generic enough)
Identifier isn't great either, but sounds better to me than 'Recognizer',
'Differentiator', or
'Distinguisher' (& searching for available synonyms didn't find
something,
which would be more user-friendly than identifier)
>
>
> * Should it be more emphasized that "Authenticator App Label" is
not
> mandatory? IMO it is currently not very clear. Also there is
> nothing
> in the help-text about this input field. Maybe we can add another
> sentence to point 3 like "Optionally provide Authenticator App
> Label
> as a reference." I am not very happy with that sentence. Any
> better
> ideas?
>
>
> What about only asking for a label if there is already one registered?
> Most users will only use one and it seems unnecessary to ask them to
> add a label.
Yes, but let's assume this scenario:
- User registers first OTP. Keycloak deosn't allow him to add label
- He user wants to register the second OTP. So he registers the second
and added the label like "My samsung phone"
- Now he wants to authenticate. So Keycloak will allow him to choose
between "My samsung phone" and <nothing> because the first OTP
didn't
have any label and didn't allow user to choose any label when he was
registering it.
To improve slightly on this, we have JIRA for generating some kind of
"default" labels, which will be used in case that no label is provided,
and also for migration from previous version where wasn't possibility to
add labels:
https://issues.jboss.org/browse/KEYCLOAK-11907 . So there
will be some default labels like "Phone 1" or "Device 1", which will
at
least allow user to differentiate.
Yet, parallel to the above, there should be another JIRA for validating, if
the provided
label is unique or not, yet (accept if unique, or ask user to provide
another one, if
matching previous entry). This is needed, the user to be able to choose the
OTP authenticator in an unambiguous way on the following screens, IMHO.
>
> * Alternatively we can use separate screen for providing the
> "Authenticator App Label" . In other words, there will be just
> single input for OTP code and than once user clicks "Submit"
> and OTP
> code is successfully verified, there will be another screen
> where he
> can provide "Authenticator App Label" . It seems Google is using
> separate screen for providing labels when user register
> Security Key.
>
>
> I prefer single screen, but see above.
>
>
> * Any better ideas?
>
> * We can possibly improve the old account console in similar
manner.
> Currently it looks like in screenshot setup-otp-account-mgmt.png
.
> Maybe we can at least change the label for "Device name" and also
> add another sentence to the help text?
>
>
> Old account console can just stay as is. We should focus improvements
> on new console.
Ok
Marek
>
> Thanks,
>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev