On Fri, 22 Nov 2019 at 11:49, Jan Lieskovsky <jlieskov(a)redhat.com> wrote:
On Fri, Nov 22, 2019 at 10:55 AM Marek Posolda <mposolda(a)redhat.com>
wrote:
> On 22. 11. 19 10:30, Stian Thorgersen wrote:
> >
> >
> > On Thu, 21 Nov 2019 at 12:07, Marek Posolda <mposolda(a)redhat.com
> > <mailto:mposolda@redhat.com>> wrote:
> >
> > I want to ask some feedback about the screen for the "Setup TOTP"
> > . I've
> > created JIRA
https://issues.jboss.org/browse/KEYCLOAK-12168 , which
> > contains some screenshot of how currently the screen for the
> required
> > action for "Setup OTP" looks like. In other words, this is
> > displayed to
> > the user at the end of the authentication when he has "Setup
TOTP"
> > required action on him.
> >
> > Few questions:
> >
> > * Is the "Device name" appropriate label? Would something like
> > "Authenticator App Label" be better?
> >
> >
> > I'm not too keen on either. Maybe "Phone name"?
> That could be fine, but aren't also different possibilities for generate
> OTP codes than sticking to "phone" ? The "Device name" is at
least
> slightly more generic, but I am not sure if it is the great label
> either...
>
What about 'Unique Phone Identifier' or 'Unique Access Identifier'? (for
the case
'Phone' is not generic enough)
Identifier isn't great either, but sounds better to me than 'Recognizer',
'Differentiator', or
'Distinguisher' (& searching for available synonyms didn't find
something,
which would be more user-friendly than identifier)
Name is better than identifier. So I would stick with Device/Phone name
> >
> >
> > * Should it be more emphasized that "Authenticator App Label"
is
> not
> > mandatory? IMO it is currently not very clear. Also there is
> > nothing
> > in the help-text about this input field. Maybe we can add
> another
> > sentence to point 3 like "Optionally provide Authenticator App
> > Label
> > as a reference." I am not very happy with that sentence. Any
> > better
> > ideas?
> >
> >
> > What about only asking for a label if there is already one registered?
> > Most users will only use one and it seems unnecessary to ask them to
> > add a label.
>
> Yes, but let's assume this scenario:
>
> - User registers first OTP. Keycloak deosn't allow him to add label
> - He user wants to register the second OTP. So he registers the second
> and added the label like "My samsung phone"
> - Now he wants to authenticate. So Keycloak will allow him to choose
> between "My samsung phone" and <nothing> because the first OTP
didn't
> have any label and didn't allow user to choose any label when he was
> registering it.
>
> To improve slightly on this, we have JIRA for generating some kind of
> "default" labels, which will be used in case that no label is provided,
> and also for migration from previous version where wasn't possibility to
> add labels:
https://issues.jboss.org/browse/KEYCLOAK-11907 . So there
> will be some default labels like "Phone 1" or "Device 1", which
will at
> least allow user to differentiate.
>
Yet, parallel to the above, there should be another JIRA for validating,
if the provided
label is unique or not, yet (accept if unique, or ask user to provide
another one, if
matching previous entry). This is needed, the user to be able to choose the
OTP authenticator in an unambiguous way on the following screens, IMHO.
There really doesn't need to be validation that the label is unique. IMO it
shouldn't have to be as it's up to the user to decide. The label is only
there to give the user a hint, nothing else.
>
> >
> > * Alternatively we can use separate screen for providing the
> > "Authenticator App Label" . In other words, there will be
just
> > single input for OTP code and than once user clicks "Submit"
> > and OTP
> > code is successfully verified, there will be another screen
> > where he
> > can provide "Authenticator App Label" . It seems Google is
using
> > separate screen for providing labels when user register
> > Security Key.
> >
> >
> > I prefer single screen, but see above.
> >
> >
> > * Any better ideas?
> >
> > * We can possibly improve the old account console in similar
> manner.
> > Currently it looks like in screenshot
> setup-otp-account-mgmt.png .
> > Maybe we can at least change the label for "Device name" and
> also
> > add another sentence to the help text?
> >
> >
> > Old account console can just stay as is. We should focus improvements
> > on new console.
>
> Ok
>
> Marek
>
> >
> > Thanks,
> >
> > Marek
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev