On Fri, 22 Nov 2019 at 12:12, Jan Lieskovsky <jlieskov(a)redhat.com> wrote:
On Fri, Nov 22, 2019 at 11:37 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> Auto-generated labels like "Phone 1", etc. just looks stupid. I would
> rather make the label optional for the first one, but mandatory for the
> second one.
I like this approach. Should we use some base / template name for the
first one,
something like "Default one-time token", rather than just allow blank name?
A default value has no meaning to the user - unless it is somehow generated
based on the actual device used. For OTP that is not possible, so should
just be empty. For WebAuthn I believe we can take something from the
registration metadata as I think it does include information about the
device.
> A second one can only be added through the account console
> anyways and the users can then add a label to the first one if they didn't
> already do it.
Then can add or should be required to add?
For second one it should be required.
> For OTP I would consider not asking for a label for the
> first one. For WebAuthn I would always ask for one. By the way doesn't the
> WebAuthn registration include details about the device? Can't the device
> name from that be used as the label?
>
It's possible. If (re)-using this information, should we ask the user for
approval to be
able to use it? (not to possibly leak something, they wouldn't want to be
used) Or just use it?
It's information about the device, not the user, and it's already in the
registered credential I think. In either case it's just a default value and
the user should be able to change it.
>
> and you are right. UA parser doesn't help as most will probably register
> from their desktop, not the phone, so would be the wrong device name.
>
> Device name or Phone name, either works to be honest. I'd say Phone is
> better as 99% will use an app on a phone, not on the desktop, but okay
> with
> Device name as well.
>
> In the new account console it shouldn't display "Device name", but
rather
> just have it as a label next to the credential-name, and it should use
> something like cards, not tables. So would be something like:
>
> -------------------------------------------------------
> Authenticator app [Samsung] [default]
> -------------------------------------------------------
> Authenticator app [My tablet]
> -------------------------------------------------------
> Security key [YubiCo]
> -------------------------------------------------------
>
Similar here, if we are able somehow to extract the information in the
square brackets
from the underlying device automagically, should we ask the user for the
approval to use it?
(since it would be displayed on the following auth screens later)
If we can extract a sensible label it should just be the default on the
form, where the user can change it if they want to,
>
>
>
> On Fri, 22 Nov 2019 at 10:56, Marek Posolda <mposolda(a)redhat.com> wrote:
>
> > On 22. 11. 19 10:36, Stian Thorgersen wrote:
> >
> > For "Device name" field. What about "Phone name" and
prefilling it with
> > the name of the phone? We have the UA parser thing right so can just use
> > the value from that?
> >
> > Hmm, but UA parser is used for parsing requests sent to Keycloak server
> > AFAIK? And in case of OTP, the phone doesn't send any requests and
> doesn't
> > directly communicate with Keycloak server. So not sure how UA parser
> could
> > help?
> >
> > Marek
> >
> >
> > On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen <sthorger(a)redhat.com>
> > wrote:
> >
> >> +1 "To try another way", but that should only be displayed if the
user
> is
> >> requested to setup two-factor and there are more choices. If a user has
> >> selected to enable OTP through the account console (AIA) it should not
> be
> >> displayed.
> >>
> >> On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda(a)redhat.com>
> wrote:
> >>
> >>> On 21. 11. 19 12:02, Marek Posolda wrote:
> >>> >
> >>> > I want to ask some feedback about the screen for the "Setup
TOTP" .
> >>> > I've created JIRA
https://issues.jboss.org/browse/KEYCLOAK-12168 ,
> >>> > which contains some screenshot of how currently the screen for the
> >>> > required action for "Setup OTP" looks like. In other
words, this is
> >>> > displayed to the user at the end of the authentication when he has
> >>> > "Setup TOTP" required action on him.
> >>> >
> >>> > Few questions:
> >>> >
> >>> > * Is the "Device name" appropriate label? Would
something like
> >>> > "Authenticator App Label" be better?
> >>> >
> >>> > * Should it be more emphasized that "Authenticator App
Label" is
> not
> >>> > mandatory? IMO it is currently not very clear. Also there is
> >>> > nothing in the help-text about this input field. Maybe we can
> add
> >>> > another sentence to point 3 like "Optionally provide
> Authenticator
> >>> > App Label as a reference." I am not very happy with that
> sentence.
> >>> > Any better ideas?
> >>> >
> >>> > * Alternatively we can use separate screen for providing the
> >>> > "Authenticator App Label" . In other words, there
will be just
> >>> > single input for OTP code and than once user clicks
"Submit" and
> >>> > OTP code is successfully verified, there will be another
screen
> >>> > where he can provide "Authenticator App Label" . It
seems Google
> >>> > is using separate screen for providing labels when user
register
> >>> > Security Key.
> >>> >
> >>> > * Any better ideas?
> >>> >
> >>> > * We can possibly improve the old account console in similar
> manner.
> >>> > Currently it looks like in screenshot
> setup-otp-account-mgmt.png .
> >>> > Maybe we can at least change the label for "Device
name" and
> also
> >>> > add another sentence to the help text?
> >>> >
> >>> One more point: At the bottom of the page for register TOTP, we
> possibly
> >>> need the link "Try another way" or something like that. This
link will
> >>> be displayed just if user is currently trying to "Register 2nd
factor
> >>> credential" because he is required to do so, and he has some more
> >>> alternative credential types to register (EG. WebAuthn).
> >>>
> >>> Marek
> >>>
> >>> > Thanks,
> >>> >
> >>> > Marek
> >>> >
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>>
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>