11:11 a.m.
Why does a user have to enter in the OTP generated by their mobile
device? Wouldn't it be cooler if the steps were:
1. Enter in username password in the browser
2. Browser blocks and wait for...
3. Press a button on your OTP iphone app
4. iphone app sends an HTTP message to Keycloak with username and
generated OTP (in background)
5. Keycloak sees if a browser app is waiting for OTP verification, then
verifies OTP if so.
6. Browser unblocks and lets user in.
Now, the user doesn't ever have to enter the OTP (and mess it up like I
do all the time). They just need their mobile device.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:19 a.m.
On 01/13/2015 11:11 AM, Bill Burke wrote:
Why does a user have to enter in the OTP generated by their mobile
device? Wouldn't it be cooler if the steps were:
1. Enter in username password in the browser
2. Browser blocks and wait for...
3. Press a button on your OTP iphone app
4. iphone app sends an HTTP message to Keycloak with username and
generated OTP (in background)
5. Keycloak sees if a browser app is waiting for OTP verification, then
verifies OTP if so.
6. Browser unblocks and lets user in.
Now, the user doesn't ever have to enter the OTP (and mess it up like I
do all the time). They just need their mobile device.
Even better, in Android this can be done from an interactive
notification. You won't even need to open the app.
--
Summers Pittman
>Phone:404 941 4698
>Java is my crack.
11:20 a.m.
On 1/13/2015 11:19 AM, Summers Pittman wrote:
On 01/13/2015 11:11 AM, Bill Burke wrote:
> Why does a user have to enter in the OTP generated by their mobile
> device? Wouldn't it be cooler if the steps were:
>
> 1. Enter in username password in the browser
> 2. Browser blocks and wait for...
> 3. Press a button on your OTP iphone app
> 4. iphone app sends an HTTP message to Keycloak with username and
> generated OTP (in background)
> 5. Keycloak sees if a browser app is waiting for OTP verification, then
> verifies OTP if so.
> 6. Browser unblocks and lets user in.
>
> Now, the user doesn't ever have to enter the OTP (and mess it up like I
> do all the time). They just need their mobile device.
>
>
>
Even better, in Android this can be done from an interactive
notification. You won't even need to open the app.
Probably the same in iOS, no?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:34 a.m.
I think what you meant was something like this
https://www.duosecurity.com/product/user-experience/authentication,
right?
On 2015-01-13, Bill Burke wrote:
On 1/13/2015 11:19 AM, Summers Pittman wrote:
> On 01/13/2015 11:11 AM, Bill Burke wrote:
>> Why does a user have to enter in the OTP generated by their mobile
>> device? Wouldn't it be cooler if the steps were:
>>
>> 1. Enter in username password in the browser
>> 2. Browser blocks and wait for...
>> 3. Press a button on your OTP iphone app
>> 4. iphone app sends an HTTP message to Keycloak with username and
>> generated OTP (in background)
>> 5. Keycloak sees if a browser app is waiting for OTP verification, then
>> verifies OTP if so.
>> 6. Browser unblocks and lets user in.
>>
>> Now, the user doesn't ever have to enter the OTP (and mess it up like I
>> do all the time). They just need their mobile device.
>>
>>
>>
> Even better, in Android this can be done from an interactive
> notification. You won't even need to open the app.
>
Probably the same in iOS, no?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
11:41 a.m.
Cool. I knew it couldn't be a unique idea.
On 1/13/2015 11:34 AM, Bruno Oliveira wrote:
I think what you meant was something like this
https://www.duosecurity.com/product/user-experience/authentication,
right?
On 2015-01-13, Bill Burke wrote:
>
>
> On 1/13/2015 11:19 AM, Summers Pittman wrote:
>> On 01/13/2015 11:11 AM, Bill Burke wrote:
>>> Why does a user have to enter in the OTP generated by their mobile
>>> device? Wouldn't it be cooler if the steps were:
>>>
>>> 1. Enter in username password in the browser
>>> 2. Browser blocks and wait for...
>>> 3. Press a button on your OTP iphone app
>>> 4. iphone app sends an HTTP message to Keycloak with username and
>>> generated OTP (in background)
>>> 5. Keycloak sees if a browser app is waiting for OTP verification, then
>>> verifies OTP if so.
>>> 6. Browser unblocks and lets user in.
>>>
>>> Now, the user doesn't ever have to enter the OTP (and mess it up like I
>>> do all the time). They just need their mobile device.
>>>
>>>
>>>
>> Even better, in Android this can be done from an interactive
>> notification. You won't even need to open the app.
>>
>
> Probably the same in iOS, no?
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:01 p.m.
That's for sure a great feature for Keycloak +10000. We planned something last year
(http://staging.aerogear.org/docs/planning/roadmaps/AeroGearSecurity/), but due to other
priorities we didn't even started.
—
abstractj
PGP: 0x84DC9914
On Tue, Jan 13, 2015 at 2:41 PM, Bill Burke <bburke(a)redhat.com> wrote:
Cool. I knew it couldn't be a unique idea.
On 1/13/2015 11:34 AM, Bruno Oliveira wrote:
> I think what you meant was something like this
> https://www.duosecurity.com/product/user-experience/authentication,
> right?
>
> On 2015-01-13, Bill Burke wrote:
>>
>>
>> On 1/13/2015 11:19 AM, Summers Pittman wrote:
>>> On 01/13/2015 11:11 AM, Bill Burke wrote:
>>>> Why does a user have to enter in the OTP generated by their mobile
>>>> device? Wouldn't it be cooler if the steps were:
>>>>
>>>> 1. Enter in username password in the browser
>>>> 2. Browser blocks and wait for...
>>>> 3. Press a button on your OTP iphone app
>>>> 4. iphone app sends an HTTP message to Keycloak with username and
>>>> generated OTP (in background)
>>>> 5. Keycloak sees if a browser app is waiting for OTP verification, then
>>>> verifies OTP if so.
>>>> 6. Browser unblocks and lets user in.
>>>>
>>>> Now, the user doesn't ever have to enter the OTP (and mess it up like
I
>>>> do all the time). They just need their mobile device.
>>>>
>>>>
>>>>
>>> Even better, in Android this can be done from an interactive
>>> notification. You won't even need to open the app.
>>>
>>
>> Probably the same in iOS, no?
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:21 p.m.
On Tue, Jan 13, 2015 at 6:20 PM, Bill Burke <bburke(a)redhat.com> wrote:
On 1/13/2015 11:19 AM, Summers Pittman wrote:
> On 01/13/2015 11:11 AM, Bill Burke wrote:
>> Why does a user have to enter in the OTP generated by their mobile
>> device? Wouldn't it be cooler if the steps were:
>>
>> 1. Enter in username password in the browser
>> 2. Browser blocks and wait for...
>> 3. Press a button on your OTP iphone app
>> 4. iphone app sends an HTTP message to Keycloak with username and
>> generated OTP (in background)
>> 5. Keycloak sees if a browser app is waiting for OTP verification, then
>> verifies OTP if so.
>> 6. Browser unblocks and lets user in.
>>
>> Now, the user doesn't ever have to enter the OTP (and mess it up like I
>> do all the time). They just need their mobile device.
>>
>>
>>
> Even better, in Android this can be done from an interactive
> notification. You won't even need to open the app.
>
Probably the same in iOS, no?
the same 'interactive notification' concept exist in iOS too, that is
without launching the app in the foreground, instead allowing the user to
click 'Accept/Send OTP" in the notification directly and let the system
call your app in the 'background' to process the request.
-
Christos
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:36 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/13/2015 05:11 PM, Bill Burke wrote:
Why does a user have to enter in the OTP generated by their mobile
device? Wouldn't it be cooler if the steps were:
1. Enter in username password in the browser 2. Browser blocks and
wait for... 3. Press a button on your OTP iphone app 4. iphone app
sends an HTTP message to Keycloak with username and generated OTP
(in background) 5. Keycloak sees if a browser app is waiting for
OTP verification, then verifies OTP if so.
How do you ensure that this browser is the same as the real user, and
not from an attacker?
6. Browser unblocks and lets user in.
Now, the user doesn't ever have to enter the OTP (and mess it up
like I do all the time). They just need their mobile device.
I haven't seen any mention of SQRL on this list yet, so, if you are
looking for a way to make the login process "easier" to the final user
(easier being veeery subjective here), then this might be of interest:
https://www.grc.com/sqrl/sqrl.htm
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUthyWAAoJEDnJtskdmzLMU7cIAIQjTD3mMP2FqIpy/0tc82rs
jgjNqZbtKDIMbBPPhSs0jMIoVfqSY/2ybIxMLpXBW2kNLKxVKrz6mY7bbifRlXbK
uvDh8t6LXM45Q6sEetmnTCgxnD1AtbkypJh0RZH6KXUzshQVPqfPaPqCz79p5V32
87XnAUU9hFXL4ECOFSKHOg8KZIkXYwFZb72MmjPWkh6/m85VkDeLvSRtFYczobJZ
Joe71n/rhm+G+pM2uq8jONslKQeqvIluzp6tw3l0CVpez8R/KI/yA/4rnhd4Lj5m
Dkl/0Gha/Q50nyswTAM22jrN8StXvjARCCH8RmqX6DdB6fADCFTVtzloa44WcNM=
=OFPT
-----END PGP SIGNATURE-----
2:52 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/14/2015 08:36 AM, Juraci Paixão Kröhling wrote:
I haven't seen any mention of SQRL on this list yet, so, if you
are looking for a way to make the login process "easier" to the
final user (easier being veeery subjective here), then this might
be of interest: https://www.grc.com/sqrl/sqrl.htm
By the way: I'm not suggesting SQRL to be implemented in Keycloak, but
to take a look at how it is implemented and use a thing or two from it
when considering the "tap button to login" feature :-)
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUtiBMAAoJEDnJtskdmzLMfekH/AyMm6SXONW/GdhO9koT6Mje
ZCKYPoEJ56l/pDxZvIrUv40og9aThBNdHbTOUCm3jYzGr02ySEd8n8J2JEu3iRvw
VKThGuuwC/QGGUrhq1nsh4oqV/EuHnbvt3S9wnap4TToZD25H6TMUWByzRAiqGU6
KZfK3UnJtryVU0SzvX23S0sppZJGBvKKK5yWPlzh/YTwNpMehsUDY7IIQqW3vUbv
YjufwXT5rR8zIUnZJ/zgPbcASegtlcky6iexSRK2QuQliUD62xRp/4aerENZbQrf
ZXbAd352onhyQk+hPOUPckDmIPAL418jGaxhFqjUSoupht4jWYvKz5H+JGIyeaw=
=y0Ag
-----END PGP SIGNATURE-----
1:12 p.m.
On 1/14/2015 2:36 AM, Juraci Paixão Kröhling wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/13/2015 05:11 PM, Bill Burke wrote:
> Why does a user have to enter in the OTP generated by their mobile
> device? Wouldn't it be cooler if the steps were:
>
> 1. Enter in username password in the browser 2. Browser blocks and
> wait for... 3. Press a button on your OTP iphone app 4. iphone app
> sends an HTTP message to Keycloak with username and generated OTP
> (in background) 5. Keycloak sees if a browser app is waiting for
> OTP verification, then verifies OTP if so.
How do you ensure that this browser is the same as the real user, and
not from an attacker?
The browser has correctly entered in a password. There would be a
timeout for the browser blocking/waiting for the background OTP transmit.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:43 a.m.
I think we'd need some mechanism in place so the user knows he initiated the request.
Keycloak could for example display a random phrase, for example "RED SHOE" which
would also be displayed on the mobile. Banks in Norway use a similar mechanism.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 14 January, 2015 7:12:37 PM
Subject: Re: [keycloak-dev] Why do I have to enter the OTP?
On 1/14/2015 2:36 AM, Juraci Paixão Kröhling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/13/2015 05:11 PM, Bill Burke wrote:
>> Why does a user have to enter in the OTP generated by their mobile
>> device? Wouldn't it be cooler if the steps were:
>>
>> 1. Enter in username password in the browser 2. Browser blocks and
>> wait for... 3. Press a button on your OTP iphone app 4. iphone app
>> sends an HTTP message to Keycloak with username and generated OTP
>> (in background) 5. Keycloak sees if a browser app is waiting for
>> OTP verification, then verifies OTP if so.
>
> How do you ensure that this browser is the same as the real user, and
> not from an attacker?
>
The browser has correctly entered in a password. There would be a
timeout for the browser blocking/waiting for the background OTP transmit.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:48 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/15/2015 08:43 AM, Stian Thorgersen wrote:
I think we'd need some mechanism in place so the user knows he
initiated the request. Keycloak could for example display a random
phrase, for example "RED SHOE" which would also be displayed on the
mobile. Banks in Norway use a similar mechanism.
I thought about something similar: a text on a box with a random
background color. Both the text and the color should match what is
seen in the browser. The user is probably never going to check the
text, but the color might get the user's attention.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUt3DRAAoJEDnJtskdmzLMqTkH/iSCGIAIr3HQ49oUgwJ3KX4F
O4VbeCzX0AVX2i2wknHczpDUrmmytLVzHpxLtpa31BeK4V2jsyPkWmQBdwP3F5gP
pbuC3l7aXv7s9NvyQ1gIA01wRKnqBasalQoonhZ2yx+YMjEpm/opuniIZ5cD1Glr
fvvT8hFeUcGzLPesKb+3cGYR4H3PterRPjcD2RRR4f1rNsXXV/moswMYChamdmRd
XNEux3MnNmFgOniV9bsBzDC6dEhYXICOrlXR9HATWSmGdGsEElANY3v2o494oUq0
sGFcVMsujSjWACW6NTWfiTrSJgh+9aX9WDjFW/UkxZB3m4ufJJ82b3zO6IPIITA=
=eI+A
-----END PGP SIGNATURE-----
2:53 a.m.
----- Original Message -----
From: "Juraci Paixão Kröhling" <juraci(a)kroehling.de>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 15 January, 2015 8:48:33 AM
Subject: Re: [keycloak-dev] Why do I have to enter the OTP?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/15/2015 08:43 AM, Stian Thorgersen wrote:
> I think we'd need some mechanism in place so the user knows he
> initiated the request. Keycloak could for example display a random
> phrase, for example "RED SHOE" which would also be displayed on the
> mobile. Banks in Norway use a similar mechanism.
I thought about something similar: a text on a box with a random
background color. Both the text and the color should match what is
seen in the browser. The user is probably never going to check the
text, but the color might get the user's attention.
Actually I think the two words work well, as they are always an adjective followed by a
noun they are easy to remember.
Not sure about color for a few reasons:
- It'll look horrible
- People filter out backgrounds
- Color mismatch between desktop and mobile screens
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUt3DRAAoJEDnJtskdmzLMqTkH/iSCGIAIr3HQ49oUgwJ3KX4F
O4VbeCzX0AVX2i2wknHczpDUrmmytLVzHpxLtpa31BeK4V2jsyPkWmQBdwP3F5gP
pbuC3l7aXv7s9NvyQ1gIA01wRKnqBasalQoonhZ2yx+YMjEpm/opuniIZ5cD1Glr
fvvT8hFeUcGzLPesKb+3cGYR4H3PterRPjcD2RRR4f1rNsXXV/moswMYChamdmRd
XNEux3MnNmFgOniV9bsBzDC6dEhYXICOrlXR9HATWSmGdGsEElANY3v2o494oUq0
sGFcVMsujSjWACW6NTWfiTrSJgh+9aX9WDjFW/UkxZB3m4ufJJ82b3zO6IPIITA=
=eI+A
-----END PGP SIGNATURE-----
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:03 a.m.
Look at YubiKey and FIDO U2F
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 13 January, 2015 5:11:09 PM
Subject: [keycloak-dev] Why do I have to enter the OTP?
Why does a user have to enter in the OTP generated by their mobile
device? Wouldn't it be cooler if the steps were:
1. Enter in username password in the browser
2. Browser blocks and wait for...
3. Press a button on your OTP iphone app
4. iphone app sends an HTTP message to Keycloak with username and
generated OTP (in background)
5. Keycloak sees if a browser app is waiting for OTP verification, then
verifies OTP if so.
6. Browser unblocks and lets user in.
Now, the user doesn't ever have to enter the OTP (and mess it up like I
do all the time). They just need their mobile device.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:21 a.m.
Maybe this is something that could be added to FreeOTP? That would be a good reason for
folks to switch to Red Hat's over Google's ;)
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 14 January, 2015 9:03:05 AM
Subject: Re: [keycloak-dev] Why do I have to enter the OTP?
Look at YubiKey and FIDO U2F
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, 13 January, 2015 5:11:09 PM
> Subject: [keycloak-dev] Why do I have to enter the OTP?
>
> Why does a user have to enter in the OTP generated by their mobile
> device? Wouldn't it be cooler if the steps were:
>
> 1. Enter in username password in the browser
> 2. Browser blocks and wait for...
> 3. Press a button on your OTP iphone app
> 4. iphone app sends an HTTP message to Keycloak with username and
> generated OTP (in background)
> 5. Keycloak sees if a browser app is waiting for OTP verification, then
> verifies OTP if so.
> 6. Browser unblocks and lets user in.
>
> Now, the user doesn't ever have to enter the OTP (and mess it up like I
> do all the time). They just need their mobile device.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:35 a.m.
On 01/14/2015 03:21 AM, Stian Thorgersen wrote:
Maybe this is something that could be added to FreeOTP? That would be
a good reason for folks to switch to Red Hat's over Google's ;)
Speaking of
FreeOTP I've been meaning to finish up a PR which adds
Android Wear support...
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Wednesday, 14 January, 2015 9:03:05 AM
> Subject: Re: [keycloak-dev] Why do I have to enter the OTP?
>
> Look at YubiKey and FIDO U2F
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 13 January, 2015 5:11:09 PM
>> Subject: [keycloak-dev] Why do I have to enter the OTP?
>>
>> Why does a user have to enter in the OTP generated by their mobile
>> device? Wouldn't it be cooler if the steps were:
>>
>> 1. Enter in username password in the browser
>> 2. Browser blocks and wait for...
>> 3. Press a button on your OTP iphone app
>> 4. iphone app sends an HTTP message to Keycloak with username and
>> generated OTP (in background)
>> 5. Keycloak sees if a browser app is waiting for OTP verification, then
>> verifies OTP if so.
>> 6. Browser unblocks and lets user in.
>>
>> Now, the user doesn't ever have to enter the OTP (and mess it up like I
>> do all the time). They just need their mobile device.
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Summers Pittman
>Phone:404 941 4698
>Java is my crack.
3387
days inactive
3389
days old
15 comments
6 participants
participants (6)
-
Bill Burke -
Bruno Oliveira -
Christos Vasilakis -
Juraci Paixão Kröhling -
Stian Thorgersen -
Summers Pittman