On Mon, Nov 25, 2019 at 10:16 PM Bruno Oliveira <bruno(a)abstractj.org> wrote:
Good afternoon,
Stan started the work here[1] to provide a single page to manage
credentials based on the New Account console feedback[2], you can have
an idea about how it looks like based on this screenshoot[3]. Please
keep in mind that this is a WIP.
Based on the mock-up[2] provided in the same document, there are some
items that we need to clarify to move forward.
1. Is this a toggle switch like (ON/OFF) for "Two-factor authentication"
or just informative to show that 2FA is turned on? If that's a toggle
should we handle this with AIA, by asking the user to re-authenticate?
Today, we don't do this.
I'm not sure this switch makes much sense. What should it do? Remove all
two-factor authenticators? In that case, shouldn't it be a button? Or
should we add support for disabling an authenticator (which wouldn't remove
it)?
Also, can we actually have more than one 2FA? If there can be only one
authenticator at a time, user can just click the Remove button next to it.
One more question which is a bit off topic. :) Wouldn't it make more sense
to combine the Password section with 2FA? I mean, 2FA cannot exist without
Password (now I mean the "legacy" 2FA – OTP – not passwordless credentials).
2. Mobile Authenticator - Hamburger menu with actions like
delete/update. IMO does not make sense to provide "update" as one of the
actions. Maybe delete and view to display all the devices enrolled.
+1, no need for hamburger menu.
3. Backup codes. Are we going to provide this? I'd say no, but it's
better to confirm.
4. Additional two-factor authenticators. At the moment we don't have any
way to use SMS, so I assume we're going to remove this. It seems to me
that the Web Authentication section overlaps with the "Passwordless"
section, but I can be wrong. Maybe we should choose which one we would
like to keep to avoid confusion?
5. Passwordless section. Is the ON/OFF informative or a toggle switch
between both states?
Does it make sense to have ON/OFF switch at all? In case a user wants to
disable it, I think more straightforward is just to remove the
authenticator.
6. Passwordless/Web Authentication. As I mentioned before, it seems to
me as an overlap. But I can be wrong.
Another thing that I was thinking for "Web Authentication" is to show an
hamburger menu with (Set up/View/Remove) instead of just "Set up".
Any thoughts?
[1] -
https://github.com/keycloak/keycloak/pull/6516
[2] -
https://i.imgur.com/UWn3mch.png
[3] -
https://i.imgur.com/1RKwx4A.png
--
abstractj
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Václav Muzikář
Senior Quality Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.