-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/13/2015 05:11 PM, Bill Burke wrote:
Why does a user have to enter in the OTP generated by their mobile
device? Wouldn't it be cooler if the steps were:
1. Enter in username password in the browser 2. Browser blocks and
wait for... 3. Press a button on your OTP iphone app 4. iphone app
sends an HTTP message to Keycloak with username and generated OTP
(in background) 5. Keycloak sees if a browser app is waiting for
OTP verification, then verifies OTP if so.
How do you ensure that this browser is the same as the real user, and
not from an attacker?
6. Browser unblocks and lets user in.
Now, the user doesn't ever have to enter the OTP (and mess it up
like I do all the time). They just need their mobile device.
I haven't seen any mention of SQRL on this list yet, so, if you are
looking for a way to make the login process "easier" to the final user
(easier being veeery subjective here), then this might be of interest:
https://www.grc.com/sqrl/sqrl.htm
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUthyWAAoJEDnJtskdmzLMU7cIAIQjTD3mMP2FqIpy/0tc82rs
jgjNqZbtKDIMbBPPhSs0jMIoVfqSY/2ybIxMLpXBW2kNLKxVKrz6mY7bbifRlXbK
uvDh8t6LXM45Q6sEetmnTCgxnD1AtbkypJh0RZH6KXUzshQVPqfPaPqCz79p5V32
87XnAUU9hFXL4ECOFSKHOg8KZIkXYwFZb72MmjPWkh6/m85VkDeLvSRtFYczobJZ
Joe71n/rhm+G+pM2uq8jONslKQeqvIluzp6tw3l0CVpez8R/KI/yA/4rnhd4Lj5m
Dkl/0Gha/Q50nyswTAM22jrN8StXvjARCCH8RmqX6DdB6fADCFTVtzloa44WcNM=
=OFPT
-----END PGP SIGNATURE-----