6:02 a.m.
I want to ask some feedback about the screen for the "Setup TOTP" . I've
created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 , which
contains some screenshot of how currently the screen for the required
action for "Setup OTP" looks like. In other words, this is displayed to
the user at the end of the authentication when he has "Setup TOTP"
required action on him.
Few questions:
* Is the "Device name" appropriate label? Would something like
"Authenticator App Label" be better?
* Should it be more emphasized that "Authenticator App Label" is not
mandatory? IMO it is currently not very clear. Also there is nothing
in the help-text about this input field. Maybe we can add another
sentence to point 3 like "Optionally provide Authenticator App Label
as a reference." I am not very happy with that sentence. Any better
ideas?
* Alternatively we can use separate screen for providing the
"Authenticator App Label" . In other words, there will be just
single input for OTP code and than once user clicks "Submit" and OTP
code is successfully verified, there will be another screen where he
can provide "Authenticator App Label" . It seems Google is using
separate screen for providing labels when user register Security Key.
* Any better ideas?
* We can possibly improve the old account console in similar manner.
Currently it looks like in screenshot setup-otp-account-mgmt.png .
Maybe we can at least change the label for "Device name" and also
add another sentence to the help text?
Thanks,
Marek
9:20 a.m.
On 21. 11. 19 12:02, Marek Posolda wrote:
I want to ask some feedback about the screen for the "Setup TOTP" .
I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 ,
which contains some screenshot of how currently the screen for the
required action for "Setup OTP" looks like. In other words, this is
displayed to the user at the end of the authentication when he has
"Setup TOTP" required action on him.
Few questions:
* Is the "Device name" appropriate label? Would something like
"Authenticator App Label" be better?
* Should it be more emphasized that "Authenticator App Label" is not
mandatory? IMO it is currently not very clear. Also there is
nothing in the help-text about this input field. Maybe we can add
another sentence to point 3 like "Optionally provide Authenticator
App Label as a reference." I am not very happy with that sentence.
Any better ideas?
* Alternatively we can use separate screen for providing the
"Authenticator App Label" . In other words, there will be just
single input for OTP code and than once user clicks "Submit" and
OTP code is successfully verified, there will be another screen
where he can provide "Authenticator App Label" . It seems Google
is using separate screen for providing labels when user register
Security Key.
* Any better ideas?
* We can possibly improve the old account console in similar manner.
Currently it looks like in screenshot setup-otp-account-mgmt.png .
Maybe we can at least change the label for "Device name" and also
add another sentence to the help text?
One more point: At the bottom of the page for register TOTP, we possibly
need the link "Try another way" or something like that. This link will
be displayed just if user is currently trying to "Register 2nd factor
credential" because he is required to do so, and he has some more
alternative credential types to register (EG. WebAuthn).
Marek
Thanks,
Marek
4:22 p.m.
On 11/21/2019 9:20 AM, Marek Posolda wrote:
On 21. 11. 19 12:02, Marek Posolda wrote:
> I want to ask some feedback about the screen for the "Setup TOTP" .
> I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 ,
> which contains some screenshot of how currently the screen for the
> required action for "Setup OTP" looks like. In other words, this is
> displayed to the user at the end of the authentication when he has
> "Setup TOTP" required action on him.
>
> Few questions:
>
> * Is the "Device name" appropriate label? Would something like
> "Authenticator App Label" be better?
I think Device Name is
fine. You could put placeholder text inside the
field that says, "My Device". This would make it clear what it is for.
>
> * Should it be more emphasized that "Authenticator App Label" is not
> mandatory? IMO it is currently not very clear. Also there is
> nothing in the help-text about this input field. Maybe we can add
> another sentence to point 3 like "Optionally provide Authenticator
> App Label as a reference." I am not very happy with that sentence.
> Any better ideas?
I wouldn't count on the user reading and
comprehending what is in that
text. He will probably just skim that text. But it doesn't hurt to
explain a little more anyway. Suggestion for second sentence, "You can
optionally provide a Device Name to help you manage your OTP devices.
In addition, label the first field "One-time Code". It currently has no
label. Second field can be labeled "Device Name (optional)".
Normally, we use an asterisk to denote required vs. not required. Then
you have something like:
"* = Required fields" as a key. But with only two fields I think that
would be overkill. So just putting "optional" in parens seems best.
>
> * Alternatively we can use separate screen for providing the
> "Authenticator App Label" . In other words, there will be just
> single input for OTP code and than once user clicks "Submit" and
> OTP code is successfully verified, there will be another screen
> where he can provide "Authenticator App Label" . It seems Google
> is using separate screen for providing labels when user register
> Security Key.
>
> * Any better ideas?
>
> * We can possibly improve the old account console in similar manner.
> Currently it looks like in screenshot setup-otp-account-mgmt.png .
> Maybe we can at least change the label for "Device name" and also
> add another sentence to the help text?
>
One more point: At the bottom of the page for register TOTP, we possibly
need the link "Try another way" or something like that. This link will
be displayed just if user is currently trying to "Register 2nd factor
credential" because he is required to do so, and he has some more
alternative credential types to register (EG. WebAuthn).
If the user is unable to
complete the setup process he is stuck. At the
very least, the user needs somewhere to go back to. You could make him
start the login process over. From there he might be able to choose a
social login.
If "another way" is available then I agree that it should be provided as
an option.
Marek
> Thanks,
>
> Marek
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:14 a.m.
On 21. 11. 19 22:22, Stan Silvert wrote:
On 11/21/2019 9:20 AM, Marek Posolda wrote:
> On 21. 11. 19 12:02, Marek Posolda wrote:
>> I want to ask some feedback about the screen for the "Setup TOTP" .
>> I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 ,
>> which contains some screenshot of how currently the screen for the
>> required action for "Setup OTP" looks like. In other words, this is
>> displayed to the user at the end of the authentication when he has
>> "Setup TOTP" required action on him.
>>
>> Few questions:
>>
>> * Is the "Device name" appropriate label? Would something like
>> "Authenticator App Label" be better?
I think Device Name is fine. You could put placeholder text inside the
field that says, "My Device". This would make it clear what it is for.
Maybe. I think Stian had some issues with "Device Name" .
I see that in some cases the "Device Name" is probably fine. For example
if you have 2 phones "Xiaomi" and "Samsung" and you have Google
Authenticator installed on both phones, then you can use phone as Device
name as an authenticator. However there are some more use-cases for OTP
though, like software authenticators etc. AFAIR that was main argument
why "Device Name" is not so great.
But thanks for the feedback. I am curious for more feedback around this.
>> * Should it be more emphasized that "Authenticator
App Label" is not
>> mandatory? IMO it is currently not very clear. Also there is
>> nothing in the help-text about this input field. Maybe we can add
>> another sentence to point 3 like "Optionally provide Authenticator
>> App Label as a reference." I am not very happy with that sentence.
>> Any better ideas?
I wouldn't count on the user reading and comprehending what is in that
text. He will probably just skim that text. But it doesn't hurt to
explain a little more anyway. Suggestion for second sentence, "You can
optionally provide a Device Name to help you manage your OTP devices.
I think that
is much better than my sentence. Thanks!
In addition, label the first field "One-time Code". It currently has no
label. Second field can be labeled "Device Name (optional)".
Normally, we use an asterisk to denote required vs. not required. Then
you have something like:
"* = Required fields" as a key. But with only two fields I think that
would be overkill. So just putting "optional" in parens seems best.
Thanks, I was also thinking about adding label to both options and then
either use asterisk around "One-time Code" or instead use something like
"Device Name (optional)" on the second field. I think we will probably
go that way, unless there is better suggestion.
>> * Alternatively we can use separate screen for providing
the
>> "Authenticator App Label" . In other words, there will be just
>> single input for OTP code and than once user clicks "Submit" and
>> OTP code is successfully verified, there will be another screen
>> where he can provide "Authenticator App Label" . It seems Google
>> is using separate screen for providing labels when user register
>> Security Key.
>>
>> * Any better ideas?
>>
>> * We can possibly improve the old account console in similar manner.
>> Currently it looks like in screenshot setup-otp-account-mgmt.png .
>> Maybe we can at least change the label for "Device name" and
also
>> add another sentence to the help text?
>>
> One more point: At the bottom of the page for register TOTP, we possibly
> need the link "Try another way" or something like that. This link will
> be displayed just if user is currently trying to "Register 2nd factor
> credential" because he is required to do so, and he has some more
> alternative credential types to register (EG. WebAuthn).
If the user is unable to complete the setup process he is stuck. At the
very least, the user needs somewhere to go back to. You could make him
start the login process over. From there he might be able to choose a
social login.
BTV. That is another thing, which is planned. We will allow on all forms
to easily restart login process from the beginning
https://issues.jboss.org/browse/KEYCLOAK-12180 .
Marek
If "another way" is available then I agree that it should be provided as
an option.
> Marek
>
>> Thanks,
>>
>> Marek
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:34 a.m.
+1 "To try another way", but that should only be displayed if the user is
requested to setup two-factor and there are more choices. If a user has
selected to enable OTP through the account console (AIA) it should not be
displayed.
On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda(a)redhat.com> wrote:
On 21. 11. 19 12:02, Marek Posolda wrote:
>
> I want to ask some feedback about the screen for the "Setup TOTP" .
> I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 ,
> which contains some screenshot of how currently the screen for the
> required action for "Setup OTP" looks like. In other words, this is
> displayed to the user at the end of the authentication when he has
> "Setup TOTP" required action on him.
>
> Few questions:
>
> * Is the "Device name" appropriate label? Would something like
> "Authenticator App Label" be better?
>
> * Should it be more emphasized that "Authenticator App Label" is not
> mandatory? IMO it is currently not very clear. Also there is
> nothing in the help-text about this input field. Maybe we can add
> another sentence to point 3 like "Optionally provide Authenticator
> App Label as a reference." I am not very happy with that sentence.
> Any better ideas?
>
> * Alternatively we can use separate screen for providing the
> "Authenticator App Label" . In other words, there will be just
> single input for OTP code and than once user clicks "Submit" and
> OTP code is successfully verified, there will be another screen
> where he can provide "Authenticator App Label" . It seems Google
> is using separate screen for providing labels when user register
> Security Key.
>
> * Any better ideas?
>
> * We can possibly improve the old account console in similar manner.
> Currently it looks like in screenshot setup-otp-account-mgmt.png .
> Maybe we can at least change the label for "Device name" and also
> add another sentence to the help text?
>
One more point: At the bottom of the page for register TOTP, we possibly
need the link "Try another way" or something like that. This link will
be displayed just if user is currently trying to "Register 2nd factor
credential" because he is required to do so, and he has some more
alternative credential types to register (EG. WebAuthn).
Marek
> Thanks,
>
> Marek
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:36 a.m.
For "Device name" field. What about "Phone name" and prefilling it
with the
name of the phone? We have the UA parser thing right so can just use the
value from that?
On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen <sthorger(a)redhat.com> wrote:
+1 "To try another way", but that should only be displayed
if the user is
requested to setup two-factor and there are more choices. If a user has
selected to enable OTP through the account console (AIA) it should not be
displayed.
On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda(a)redhat.com> wrote:
> On 21. 11. 19 12:02, Marek Posolda wrote:
> >
> > I want to ask some feedback about the screen for the "Setup TOTP" .
> > I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 ,
> > which contains some screenshot of how currently the screen for the
> > required action for "Setup OTP" looks like. In other words, this is
> > displayed to the user at the end of the authentication when he has
> > "Setup TOTP" required action on him.
> >
> > Few questions:
> >
> > * Is the "Device name" appropriate label? Would something like
> > "Authenticator App Label" be better?
> >
> > * Should it be more emphasized that "Authenticator App Label" is
not
> > mandatory? IMO it is currently not very clear. Also there is
> > nothing in the help-text about this input field. Maybe we can add
> > another sentence to point 3 like "Optionally provide Authenticator
> > App Label as a reference." I am not very happy with that sentence.
> > Any better ideas?
> >
> > * Alternatively we can use separate screen for providing the
> > "Authenticator App Label" . In other words, there will be just
> > single input for OTP code and than once user clicks "Submit" and
> > OTP code is successfully verified, there will be another screen
> > where he can provide "Authenticator App Label" . It seems Google
> > is using separate screen for providing labels when user register
> > Security Key.
> >
> > * Any better ideas?
> >
> > * We can possibly improve the old account console in similar manner.
> > Currently it looks like in screenshot setup-otp-account-mgmt.png .
> > Maybe we can at least change the label for "Device name" and also
> > add another sentence to the help text?
> >
> One more point: At the bottom of the page for register TOTP, we possibly
> need the link "Try another way" or something like that. This link will
> be displayed just if user is currently trying to "Register 2nd factor
> credential" because he is required to do so, and he has some more
> alternative credential types to register (EG. WebAuthn).
>
> Marek
>
> > Thanks,
> >
> > Marek
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
4:56 a.m.
On 22. 11. 19 10:36, Stian Thorgersen wrote:
For "Device name" field. What about "Phone name"
and prefilling it
with the name of the phone? We have the UA parser thing right so can
just use the value from that?
Hmm, but UA parser is used for parsing requests sent to Keycloak server
AFAIK? And in case of OTP, the phone doesn't send any requests and
doesn't directly communicate with Keycloak server. So not sure how UA
parser could help?
Marek
On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>> wrote:
+1 "To try another way", but that should only be displayed if the
user is requested to setup two-factor and there are more choices.
If a user has selected to enable OTP through the account console
(AIA) it should not be displayed.
On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
On 21. 11. 19 12:02, Marek Posolda wrote:
>
> I want to ask some feedback about the screen for the "Setup
TOTP" .
> I've created JIRA
https://issues.jboss.org/browse/KEYCLOAK-12168 ,
> which contains some screenshot of how currently the screen
for the
> required action for "Setup OTP" looks like. In other words,
this is
> displayed to the user at the end of the authentication when
he has
> "Setup TOTP" required action on him.
>
> Few questions:
>
> * Is the "Device name" appropriate label? Would something like
> "Authenticator App Label" be better?
>
> * Should it be more emphasized that "Authenticator App
Label" is not
> mandatory? IMO it is currently not very clear. Also there is
> nothing in the help-text about this input field. Maybe
we can add
> another sentence to point 3 like "Optionally provide
Authenticator
> App Label as a reference." I am not very happy with that
sentence.
> Any better ideas?
>
> * Alternatively we can use separate screen for providing the
> "Authenticator App Label" . In other words, there will
be just
> single input for OTP code and than once user clicks
"Submit" and
> OTP code is successfully verified, there will be another
screen
> where he can provide "Authenticator App Label" . It
seems Google
> is using separate screen for providing labels when user
register
> Security Key.
>
> * Any better ideas?
>
> * We can possibly improve the old account console in
similar manner.
> Currently it looks like in screenshot
setup-otp-account-mgmt.png .
> Maybe we can at least change the label for "Device name"
and also
> add another sentence to the help text?
>
One more point: At the bottom of the page for register TOTP,
we possibly
need the link "Try another way" or something like that. This
link will
be displayed just if user is currently trying to "Register 2nd
factor
credential" because he is required to do so, and he has some more
alternative credential types to register (EG. WebAuthn).
Marek
> Thanks,
>
> Marek
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:36 a.m.
Auto-generated labels like "Phone 1", etc. just looks stupid. I would
rather make the label optional for the first one, but mandatory for the
second one. A second one can only be added through the account console
anyways and the users can then add a label to the first one if they didn't
already do it. For OTP I would consider not asking for a label for the
first one. For WebAuthn I would always ask for one. By the way doesn't the
WebAuthn registration include details about the device? Can't the device
name from that be used as the label?
and you are right. UA parser doesn't help as most will probably register
from their desktop, not the phone, so would be the wrong device name.
Device name or Phone name, either works to be honest. I'd say Phone is
better as 99% will use an app on a phone, not on the desktop, but okay with
Device name as well.
In the new account console it shouldn't display "Device name", but rather
just have it as a label next to the credential-name, and it should use
something like cards, not tables. So would be something like:
-------------------------------------------------------
Authenticator app [Samsung] [default]
-------------------------------------------------------
Authenticator app [My tablet]
-------------------------------------------------------
Security key [YubiCo]
-------------------------------------------------------
On Fri, 22 Nov 2019 at 10:56, Marek Posolda <mposolda(a)redhat.com> wrote:
On 22. 11. 19 10:36, Stian Thorgersen wrote:
For "Device name" field. What about "Phone name" and prefilling it
with
the name of the phone? We have the UA parser thing right so can just use
the value from that?
Hmm, but UA parser is used for parsing requests sent to Keycloak server
AFAIK? And in case of OTP, the phone doesn't send any requests and doesn't
directly communicate with Keycloak server. So not sure how UA parser could
help?
Marek
On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> +1 "To try another way", but that should only be displayed if the user is
> requested to setup two-factor and there are more choices. If a user has
> selected to enable OTP through the account console (AIA) it should not be
> displayed.
>
> On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda(a)redhat.com> wrote:
>
>> On 21. 11. 19 12:02, Marek Posolda wrote:
>> >
>> > I want to ask some feedback about the screen for the "Setup TOTP"
.
>> > I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 ,
>> > which contains some screenshot of how currently the screen for the
>> > required action for "Setup OTP" looks like. In other words, this
is
>> > displayed to the user at the end of the authentication when he has
>> > "Setup TOTP" required action on him.
>> >
>> > Few questions:
>> >
>> > * Is the "Device name" appropriate label? Would something like
>> > "Authenticator App Label" be better?
>> >
>> > * Should it be more emphasized that "Authenticator App Label" is
not
>> > mandatory? IMO it is currently not very clear. Also there is
>> > nothing in the help-text about this input field. Maybe we can add
>> > another sentence to point 3 like "Optionally provide Authenticator
>> > App Label as a reference." I am not very happy with that sentence.
>> > Any better ideas?
>> >
>> > * Alternatively we can use separate screen for providing the
>> > "Authenticator App Label" . In other words, there will be
just
>> > single input for OTP code and than once user clicks "Submit"
and
>> > OTP code is successfully verified, there will be another screen
>> > where he can provide "Authenticator App Label" . It seems
Google
>> > is using separate screen for providing labels when user register
>> > Security Key.
>> >
>> > * Any better ideas?
>> >
>> > * We can possibly improve the old account console in similar manner.
>> > Currently it looks like in screenshot setup-otp-account-mgmt.png .
>> > Maybe we can at least change the label for "Device name" and
also
>> > add another sentence to the help text?
>> >
>> One more point: At the bottom of the page for register TOTP, we possibly
>> need the link "Try another way" or something like that. This link will
>> be displayed just if user is currently trying to "Register 2nd factor
>> credential" because he is required to do so, and he has some more
>> alternative credential types to register (EG. WebAuthn).
>>
>> Marek
>>
>> > Thanks,
>> >
>> > Marek
>> >
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
6:13 a.m.
On Fri, Nov 22, 2019 at 11:37 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Auto-generated labels like "Phone 1", etc. just looks
stupid. I would
rather make the label optional for the first one, but mandatory for the
second one.
I like this approach. Should we use some base / template name for the first
one,
something like "Default one-time token", rather than just allow blank name?
A second one can only be added through the account console
anyways and the users can then add a label to the first one if they didn't
already do it.
Then can add or should be required to add?
For OTP I would consider not asking for a label for the
first one. For WebAuthn I would always ask for one. By the way doesn't the
WebAuthn registration include details about the device? Can't the device
name from that be used as the label?
It's possible. If (re)-using this information, should we ask the user for
approval to be
able to use it? (not to possibly leak something, they wouldn't want to be
used) Or just use it?
and you are right. UA parser doesn't help as most will probably register
from their desktop, not the phone, so would be the wrong device name.
Device name or Phone name, either works to be honest. I'd say Phone is
better as 99% will use an app on a phone, not on the desktop, but okay with
Device name as well.
In the new account console it shouldn't display "Device name", but rather
just have it as a label next to the credential-name, and it should use
something like cards, not tables. So would be something like:
-------------------------------------------------------
Authenticator app [Samsung] [default]
-------------------------------------------------------
Authenticator app [My tablet]
-------------------------------------------------------
Security key [YubiCo]
-------------------------------------------------------
Similar here, if we are able somehow to extract the information in the
square brackets
from the underlying device automagically, should we ask the user for the
approval to use it?
(since it would be displayed on the following auth screens later)
On Fri, 22 Nov 2019 at 10:56, Marek Posolda <mposolda(a)redhat.com> wrote:
> On 22. 11. 19 10:36, Stian Thorgersen wrote:
>
> For "Device name" field. What about "Phone name" and prefilling
it with
> the name of the phone? We have the UA parser thing right so can just use
> the value from that?
>
> Hmm, but UA parser is used for parsing requests sent to Keycloak server
> AFAIK? And in case of OTP, the phone doesn't send any requests and
doesn't
> directly communicate with Keycloak server. So not sure how UA parser
could
> help?
>
> Marek
>
>
> On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> +1 "To try another way", but that should only be displayed if the
user
is
>> requested to setup two-factor and there are more choices. If a user has
>> selected to enable OTP through the account console (AIA) it should not
be
>> displayed.
>>
>> On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda(a)redhat.com>
wrote:
>>
>>> On 21. 11. 19 12:02, Marek Posolda wrote:
>>> >
>>> > I want to ask some feedback about the screen for the "Setup
TOTP" .
>>> > I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 ,
>>> > which contains some screenshot of how currently the screen for the
>>> > required action for "Setup OTP" looks like. In other words,
this is
>>> > displayed to the user at the end of the authentication when he has
>>> > "Setup TOTP" required action on him.
>>> >
>>> > Few questions:
>>> >
>>> > * Is the "Device name" appropriate label? Would something
like
>>> > "Authenticator App Label" be better?
>>> >
>>> > * Should it be more emphasized that "Authenticator App
Label" is
not
>>> > mandatory? IMO it is currently not very clear. Also there is
>>> > nothing in the help-text about this input field. Maybe we can add
>>> > another sentence to point 3 like "Optionally provide
Authenticator
>>> > App Label as a reference." I am not very happy with that
sentence.
>>> > Any better ideas?
>>> >
>>> > * Alternatively we can use separate screen for providing the
>>> > "Authenticator App Label" . In other words, there will be
just
>>> > single input for OTP code and than once user clicks
"Submit" and
>>> > OTP code is successfully verified, there will be another screen
>>> > where he can provide "Authenticator App Label" . It seems
Google
>>> > is using separate screen for providing labels when user register
>>> > Security Key.
>>> >
>>> > * Any better ideas?
>>> >
>>> > * We can possibly improve the old account console in similar
manner.
>>> > Currently it looks like in screenshot setup-otp-account-mgmt.png
.
>>> > Maybe we can at least change the label for "Device name"
and also
>>> > add another sentence to the help text?
>>> >
>>> One more point: At the bottom of the page for register TOTP, we
possibly
>>> need the link "Try another way" or something like that. This link
will
>>> be displayed just if user is currently trying to "Register 2nd factor
>>> credential" because he is required to do so, and he has some more
>>> alternative credential types to register (EG. WebAuthn).
>>>
>>> Marek
>>>
>>> > Thanks,
>>> >
>>> > Marek
>>> >
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
6:37 a.m.
On 22. 11. 19 12:13, Jan Lieskovsky wrote:
On Fri, Nov 22, 2019 at 11:37 AM Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>> wrote:
Auto-generated labels like "Phone 1", etc. just looks stupid. I would
rather make the label optional for the first one, but mandatory
for the
second one.
I like this approach. Should we use some base / template name for the
first one,
something like "Default one-time token", rather than just allow blank
name?
Yes, so if "device name" will be optional (or even not present) for
the
first OTP, and we don't want to auto-generate anything, then we can
always end in situations when some of the OTP doesn't have label. Then
during authentication, display nothing or display UUID seems to be even
more stupid than display something auto-generated like "Phone 1" IMO :)
So question is what to display? Not sure that "Default" works, as the
OTP without label doesn't necessarily be the default one... Right now, I
can't come with anything better than "Phone 1" TBH... ;)
A second one can only be added through the account console
anyways and the users can then add a label to the first one if
they didn't
already do it.
Then can add or should be required to add?
Yes, it will be nice if we can
"force" user to add label to first OTP
after he registers second OTP. But I doubt it will be possible to do it
in nice and friendly way...
For OTP I would consider not asking for a label for the
first one. For WebAuthn I would always ask for one. By the way
doesn't the
WebAuthn registration include details about the device? Can't the
device
name from that be used as the label?
It's possible. If (re)-using this information, should we ask the user
for approval to be
able to use it? (not to possibly leak something, they wouldn't want to
be used) Or just use it?
I think it's not reliably possible to retrieve details about device from
the WebAuthn registration. At least in a way that device info is
possible to use as a label. CCing Takashi Norimatsu, who can possibly
confirm. I agree that label should be mandatory during WebAuthn
registration and it is how it works today. Also Google works this way
and requires some label to be added AFAIK.
Marek
and you are right. UA parser doesn't help as most will probably
register
from their desktop, not the phone, so would be the wrong device name.
Device name or Phone name, either works to be honest. I'd say Phone is
better as 99% will use an app on a phone, not on the desktop, but
okay with
Device name as well.
In the new account console it shouldn't display "Device name", but
rather
just have it as a label next to the credential-name, and it should use
something like cards, not tables. So would be something like:
-------------------------------------------------------
Authenticator app [Samsung] [default]
-------------------------------------------------------
Authenticator app [My tablet]
-------------------------------------------------------
Security key [YubiCo]
-------------------------------------------------------
Similar here, if we are able somehow to extract the information in the
square brackets
from the underlying device automagically, should we ask the user for
the approval to use it?
(since it would be displayed on the following auth screens later)
On Fri, 22 Nov 2019 at 10:56, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
> On 22. 11. 19 10:36, Stian Thorgersen wrote:
>
> For "Device name" field. What about "Phone name" and
prefilling
it with
> the name of the phone? We have the UA parser thing right so can
just use
> the value from that?
>
> Hmm, but UA parser is used for parsing requests sent to Keycloak
server
> AFAIK? And in case of OTP, the phone doesn't send any requests
and doesn't
> directly communicate with Keycloak server. So not sure how UA
parser could
> help?
>
> Marek
>
>
> On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen
<sthorger(a)redhat.com <mailto:sthorger@redhat.com>>
> wrote:
>
>> +1 "To try another way", but that should only be displayed if
the user is
>> requested to setup two-factor and there are more choices. If a
user has
>> selected to enable OTP through the account console (AIA) it
should not be
>> displayed.
>>
>> On Thu, 21 Nov 2019 at 15:24, Marek Posolda
<mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>>
>>> On 21. 11. 19 12:02, Marek Posolda wrote:
>>> >
>>> > I want to ask some feedback about the screen for the "Setup
TOTP" .
>>> > I've created JIRA
https://issues.jboss.org/browse/KEYCLOAK-12168 ,
>>> > which contains some screenshot of how currently the screen
for the
>>> > required action for "Setup OTP" looks like. In other
words,
this is
>>> > displayed to the user at the end of the authentication when
he has
>>> > "Setup TOTP" required action on him.
>>> >
>>> > Few questions:
>>> >
>>> > * Is the "Device name" appropriate label? Would
something like
>>> > "Authenticator App Label" be better?
>>> >
>>> > * Should it be more emphasized that "Authenticator App
Label" is not
>>> > mandatory? IMO it is currently not very clear. Also there is
>>> > nothing in the help-text about this input field. Maybe
we can add
>>> > another sentence to point 3 like "Optionally provide
Authenticator
>>> > App Label as a reference." I am not very happy with that
sentence.
>>> > Any better ideas?
>>> >
>>> > * Alternatively we can use separate screen for providing the
>>> > "Authenticator App Label" . In other words, there
will
be just
>>> > single input for OTP code and than once user clicks
"Submit" and
>>> > OTP code is successfully verified, there will be another
screen
>>> > where he can provide "Authenticator App Label" . It
seems Google
>>> > is using separate screen for providing labels when user
register
>>> > Security Key.
>>> >
>>> > * Any better ideas?
>>> >
>>> > * We can possibly improve the old account console in
similar manner.
>>> > Currently it looks like in screenshot
setup-otp-account-mgmt.png .
>>> > Maybe we can at least change the label for "Device
name"
and also
>>> > add another sentence to the help text?
>>> >
>>> One more point: At the bottom of the page for register TOTP,
we possibly
>>> need the link "Try another way" or something like that. This
link will
>>> be displayed just if user is currently trying to "Register 2nd
factor
>>> credential" because he is required to do so, and he has some more
>>> alternative credential types to register (EG. WebAuthn).
>>>
>>> Marek
>>>
>>> > Thanks,
>>> >
>>> > Marek
>>> >
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
6:40 a.m.
On Fri, 22 Nov 2019 at 12:37, Marek Posolda <mposolda(a)redhat.com> wrote:
On 22. 11. 19 12:13, Jan Lieskovsky wrote:
On Fri, Nov 22, 2019 at 11:37 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> Auto-generated labels like "Phone 1", etc. just looks stupid. I would
> rather make the label optional for the first one, but mandatory for the
> second one.
I like this approach. Should we use some base / template name for the
first one,
something like "Default one-time token", rather than just allow blank name?
Yes, so if "device name" will be optional (or even not present) for the
first OTP, and we don't want to auto-generate anything, then we can always
end in situations when some of the OTP doesn't have label. Then during
authentication, display nothing or display UUID seems to be even more
stupid than display something auto-generated like "Phone 1" IMO :) So
question is what to display? Not sure that "Default" works, as the OTP
without label doesn't necessarily be the default one... Right now, I can't
come with anything better than "Phone 1" TBH... ;)
I'm assuming you are now talking about the login otp form. In that I think
it should just say "Unnamed" in grey.
> A second one can only be added through the account console
> anyways and the users can then add a label to the first one if they didn't
> already do it.
Then can add or should be required to add?
Yes, it will be nice if we can "force" user to add label to first OTP
after he registers second OTP. But I doubt it will be possible to do it in
nice and friendly way...
I don't see a need for that - the user is in the account console and can
see the unnamed OTP and can easily rename it from there.
> For OTP I would consider not asking for a label for the
> first one. For WebAuthn I would always ask for one. By the way doesn't the
> WebAuthn registration include details about the device? Can't the device
> name from that be used as the label?
>
It's possible. If (re)-using this information, should we ask the user for
approval to be
able to use it? (not to possibly leak something, they wouldn't want to be
used) Or just use it?
I think it's not reliably possible to retrieve details about device from
the WebAuthn registration. At least in a way that device info is possible
to use as a label. CCing Takashi Norimatsu, who can possibly confirm. I
agree that label should be mandatory during WebAuthn registration and it is
how it works today. Also Google works this way and requires some label to
be added AFAIK.
Marek
>
> and you are right. UA parser doesn't help as most will probably register
> from their desktop, not the phone, so would be the wrong device name.
>
> Device name or Phone name, either works to be honest. I'd say Phone is
> better as 99% will use an app on a phone, not on the desktop, but okay
> with
> Device name as well.
>
> In the new account console it shouldn't display "Device name", but
rather
> just have it as a label next to the credential-name, and it should use
> something like cards, not tables. So would be something like:
>
> -------------------------------------------------------
> Authenticator app [Samsung] [default]
> -------------------------------------------------------
> Authenticator app [My tablet]
> -------------------------------------------------------
> Security key [YubiCo]
> -------------------------------------------------------
>
Similar here, if we are able somehow to extract the information in the
square brackets
from the underlying device automagically, should we ask the user for the
approval to use it?
(since it would be displayed on the following auth screens later)
>
>
>
> On Fri, 22 Nov 2019 at 10:56, Marek Posolda <mposolda(a)redhat.com> wrote:
>
> > On 22. 11. 19 10:36, Stian Thorgersen wrote:
> >
> > For "Device name" field. What about "Phone name" and
prefilling it with
> > the name of the phone? We have the UA parser thing right so can just use
> > the value from that?
> >
> > Hmm, but UA parser is used for parsing requests sent to Keycloak server
> > AFAIK? And in case of OTP, the phone doesn't send any requests and
> doesn't
> > directly communicate with Keycloak server. So not sure how UA parser
> could
> > help?
> >
> > Marek
> >
> >
> > On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen <sthorger(a)redhat.com>
> > wrote:
> >
> >> +1 "To try another way", but that should only be displayed if the
user
> is
> >> requested to setup two-factor and there are more choices. If a user has
> >> selected to enable OTP through the account console (AIA) it should not
> be
> >> displayed.
> >>
> >> On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda(a)redhat.com>
> wrote:
> >>
> >>> On 21. 11. 19 12:02, Marek Posolda wrote:
> >>> >
> >>> > I want to ask some feedback about the screen for the "Setup
TOTP" .
> >>> > I've created JIRA
https://issues.jboss.org/browse/KEYCLOAK-12168 ,
> >>> > which contains some screenshot of how currently the screen for the
> >>> > required action for "Setup OTP" looks like. In other
words, this is
> >>> > displayed to the user at the end of the authentication when he has
> >>> > "Setup TOTP" required action on him.
> >>> >
> >>> > Few questions:
> >>> >
> >>> > * Is the "Device name" appropriate label? Would
something like
> >>> > "Authenticator App Label" be better?
> >>> >
> >>> > * Should it be more emphasized that "Authenticator App
Label" is
> not
> >>> > mandatory? IMO it is currently not very clear. Also there is
> >>> > nothing in the help-text about this input field. Maybe we can
> add
> >>> > another sentence to point 3 like "Optionally provide
> Authenticator
> >>> > App Label as a reference." I am not very happy with that
> sentence.
> >>> > Any better ideas?
> >>> >
> >>> > * Alternatively we can use separate screen for providing the
> >>> > "Authenticator App Label" . In other words, there
will be just
> >>> > single input for OTP code and than once user clicks
"Submit" and
> >>> > OTP code is successfully verified, there will be another
screen
> >>> > where he can provide "Authenticator App Label" . It
seems Google
> >>> > is using separate screen for providing labels when user
register
> >>> > Security Key.
> >>> >
> >>> > * Any better ideas?
> >>> >
> >>> > * We can possibly improve the old account console in similar
> manner.
> >>> > Currently it looks like in screenshot
> setup-otp-account-mgmt.png .
> >>> > Maybe we can at least change the label for "Device
name" and
> also
> >>> > add another sentence to the help text?
> >>> >
> >>> One more point: At the bottom of the page for register TOTP, we
> possibly
> >>> need the link "Try another way" or something like that. This
link will
> >>> be displayed just if user is currently trying to "Register 2nd
factor
> >>> credential" because he is required to do so, and he has some more
> >>> alternative credential types to register (EG. WebAuthn).
> >>>
> >>> Marek
> >>>
> >>> > Thanks,
> >>> >
> >>> > Marek
> >>> >
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>>
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
9:09 a.m.
On 22. 11. 19 12:40, Stian Thorgersen wrote:
On Fri, 22 Nov 2019 at 12:37, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
On 22. 11. 19 12:13, Jan Lieskovsky wrote:
>
>
> On Fri, Nov 22, 2019 at 11:37 AM Stian Thorgersen
> <sthorger(a)redhat.com <mailto:sthorger@redhat.com>> wrote:
>
> Auto-generated labels like "Phone 1", etc. just looks stupid.
> I would
> rather make the label optional for the first one, but
> mandatory for the
> second one.
>
>
> I like this approach. Should we use some base / template name for
> the first one,
> something like "Default one-time token", rather than just allow
> blank name?
Yes, so if "device name" will be optional (or even not present)
for the first OTP, and we don't want to auto-generate anything,
then we can always end in situations when some of the OTP doesn't
have label. Then during authentication, display nothing or display
UUID seems to be even more stupid than display something
auto-generated like "Phone 1" IMO :) So question is what to
display? Not sure that "Default" works, as the OTP without label
doesn't necessarily be the default one... Right now, I can't come
with anything better than "Phone 1" TBH... ;)
I'm assuming you are now talking about the login otp form. In that I
think it should just say "Unnamed" in grey.
Ok, that works. Thanks
Marek
>
> A second one can only be added through the account console
> anyways and the users can then add a label to the first one
> if they didn't
> already do it.
>
>
> Then can add or should be required to add?
Yes, it will be nice if we can "force" user to add label to first
OTP after he registers second OTP. But I doubt it will be possible
to do it in nice and friendly way...
I don't see a need for that - the user is in the account console and
can see the unnamed OTP and can easily rename it from there.
>
> For OTP I would consider not asking for a label for the
> first one. For WebAuthn I would always ask for one. By the
> way doesn't the
> WebAuthn registration include details about the device? Can't
> the device
> name from that be used as the label?
>
>
> It's possible. If (re)-using this information, should we ask the
> user for approval to be
> able to use it? (not to possibly leak something, they wouldn't
> want to be used) Or just use it?
I think it's not reliably possible to retrieve details about
device from the WebAuthn registration. At least in a way that
device info is possible to use as a label. CCing Takashi
Norimatsu, who can possibly confirm. I agree that label should be
mandatory during WebAuthn registration and it is how it works
today. Also Google works this way and requires some label to be
added AFAIK.
Marek
>
> and you are right. UA parser doesn't help as most will
> probably register
> from their desktop, not the phone, so would be the wrong
> device name.
>
> Device name or Phone name, either works to be honest. I'd say
> Phone is
> better as 99% will use an app on a phone, not on the desktop,
> but okay with
> Device name as well.
>
> In the new account console it shouldn't display "Device
> name", but rather
> just have it as a label next to the credential-name, and it
> should use
> something like cards, not tables. So would be something like:
>
> -------------------------------------------------------
> Authenticator app [Samsung] [default]
> -------------------------------------------------------
> Authenticator app [My tablet]
> -------------------------------------------------------
> Security key [YubiCo]
> -------------------------------------------------------
>
>
> Similar here, if we are able somehow to extract the information
> in the square brackets
> from the underlying device automagically, should we ask the user
> for the approval to use it?
> (since it would be displayed on the following auth screens later)
>
>
>
>
> On Fri, 22 Nov 2019 at 10:56, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>
> > On 22. 11. 19 10:36, Stian Thorgersen wrote:
> >
> > For "Device name" field. What about "Phone name"
and
> prefilling it with
> > the name of the phone? We have the UA parser thing right so
> can just use
> > the value from that?
> >
> > Hmm, but UA parser is used for parsing requests sent to
> Keycloak server
> > AFAIK? And in case of OTP, the phone doesn't send any
> requests and doesn't
> > directly communicate with Keycloak server. So not sure how
> UA parser could
> > help?
> >
> > Marek
> >
> >
> > On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen
> <sthorger(a)redhat.com <mailto:sthorger@redhat.com>>
> > wrote:
> >
> >> +1 "To try another way", but that should only be
displayed
> if the user is
> >> requested to setup two-factor and there are more choices.
> If a user has
> >> selected to enable OTP through the account console (AIA)
> it should not be
> >> displayed.
> >>
> >> On Thu, 21 Nov 2019 at 15:24, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
> >>
> >>> On 21. 11. 19 12:02, Marek Posolda wrote:
> >>> >
> >>> > I want to ask some feedback about the screen for the
> "Setup TOTP" .
> >>> > I've created JIRA
> https://issues.jboss.org/browse/KEYCLOAK-12168 ,
> >>> > which contains some screenshot of how currently the
> screen for the
> >>> > required action for "Setup OTP" looks like. In
other
> words, this is
> >>> > displayed to the user at the end of the authentication
> when he has
> >>> > "Setup TOTP" required action on him.
> >>> >
> >>> > Few questions:
> >>> >
> >>> > * Is the "Device name" appropriate label?
Would
> something like
> >>> > "Authenticator App Label" be better?
> >>> >
> >>> > * Should it be more emphasized that "Authenticator
> App Label" is not
> >>> > mandatory? IMO it is currently not very clear. Also
> there is
> >>> > nothing in the help-text about this input field.
> Maybe we can add
> >>> > another sentence to point 3 like "Optionally
> provide Authenticator
> >>> > App Label as a reference." I am not very happy
with
> that sentence.
> >>> > Any better ideas?
> >>> >
> >>> > * Alternatively we can use separate screen for
> providing the
> >>> > "Authenticator App Label" . In other words,
there
> will be just
> >>> > single input for OTP code and than once user clicks
> "Submit" and
> >>> > OTP code is successfully verified, there will be
> another screen
> >>> > where he can provide "Authenticator App
Label" . It
> seems Google
> >>> > is using separate screen for providing labels when
> user register
> >>> > Security Key.
> >>> >
> >>> > * Any better ideas?
> >>> >
> >>> > * We can possibly improve the old account console in
> similar manner.
> >>> > Currently it looks like in screenshot
> setup-otp-account-mgmt.png .
> >>> > Maybe we can at least change the label for
"Device
> name" and also
> >>> > add another sentence to the help text?
> >>> >
> >>> One more point: At the bottom of the page for register
> TOTP, we possibly
> >>> need the link "Try another way" or something like
that.
> This link will
> >>> be displayed just if user is currently trying to
> "Register 2nd factor
> >>> credential" because he is required to do so, and he has
> some more
> >>> alternative credential types to register (EG. WebAuthn).
> >>>
> >>> Marek
> >>>
> >>> > Thanks,
> >>> >
> >>> > Marek
> >>> >
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>>
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
11:39 p.m.
Hello,
As Marek said, it seems not to be possible to retrieve a webauthn authenticator's
information on its registration. Please refer to the section "Public Key Credential -
Managed Information on Public Key Credential - Metadata - Metadata candidates
consideration" of design document
(https://github.com/keycloak/keycloak-community/blob/master/design/web-aut...).
Regards,
Takashi Norimatsu
Hitachi, Ltd.
From: Marek Posolda <mposolda(a)redhat.com>
Sent: Friday, November 22, 2019 8:38 PM
To: Jan Lieskovsky <jlieskov(a)redhat.com>; Stian Thorgersen
<stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org; 乗松隆志 / NORIMATSU,TAKASHI
<takashi.norimatsu.ws(a)hitachi.com>
Subject: [!]Re: [keycloak-dev] Usability: Improve screen for setup TOTP
On 22. 11. 19 12:13, Jan Lieskovsky wrote:
On Fri, Nov 22, 2019 at 11:37 AM Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>> wrote:
Auto-generated labels like "Phone 1", etc. just looks stupid. I would
rather make the label optional for the first one, but mandatory for the
second one.
I like this approach. Should we use some base / template name for the first one,
something like "Default one-time token", rather than just allow blank name?
Yes, so if "device name" will be optional (or even not present) for the first
OTP, and we don't want to auto-generate anything, then we can always end in situations
when some of the OTP doesn't have label. Then during authentication, display nothing
or display UUID seems to be even more stupid than display something auto-generated like
"Phone 1" IMO :) So question is what to display? Not sure that
"Default" works, as the OTP without label doesn't necessarily be the default
one... Right now, I can't come with anything better than "Phone 1" TBH...
;)
A second one can only be added through the account console
anyways and the users can then add a label to the first one if they didn't
already do it.
Then can add or should be required to add?
Yes, it will be nice if we can "force" user to add label to first OTP after he
registers second OTP. But I doubt it will be possible to do it in nice and friendly
way...
For OTP I would consider not asking for a label for the
first one. For WebAuthn I would always ask for one. By the way doesn't the
WebAuthn registration include details about the device? Can't the device
name from that be used as the label?
It's possible. If (re)-using this information, should we ask the user for approval to
be
able to use it? (not to possibly leak something, they wouldn't want to be used) Or
just use it?
I think it's not reliably possible to retrieve details about device from the WebAuthn
registration. At least in a way that device info is possible to use as a label. CCing
Takashi Norimatsu, who can possibly confirm. I agree that label should be mandatory during
WebAuthn registration and it is how it works today. Also Google works this way and
requires some label to be added AFAIK.
Marek
and you are right. UA parser doesn't help as most will probably register
from their desktop, not the phone, so would be the wrong device name.
Device name or Phone name, either works to be honest. I'd say Phone is
better as 99% will use an app on a phone, not on the desktop, but okay with
Device name as well.
In the new account console it shouldn't display "Device name", but rather
just have it as a label next to the credential-name, and it should use
something like cards, not tables. So would be something like:
-------------------------------------------------------
Authenticator app [Samsung] [default]
-------------------------------------------------------
Authenticator app [My tablet]
-------------------------------------------------------
Security key [YubiCo]
-------------------------------------------------------
Similar here, if we are able somehow to extract the information in the square brackets
from the underlying device automagically, should we ask the user for the approval to use
it?
(since it would be displayed on the following auth screens later)
On Fri, 22 Nov 2019 at 10:56, Marek Posolda
<mposolda@redhat.com<mailto:mposolda@redhat.com>> wrote:
On 22. 11. 19 10:36, Stian Thorgersen wrote:
For "Device name" field. What about "Phone name" and prefilling it
with
the name of the phone? We have the UA parser thing right so can just use
the value from that?
Hmm, but UA parser is used for parsing requests sent to Keycloak server
AFAIK? And in case of OTP, the phone doesn't send any requests and doesn't
directly communicate with Keycloak server. So not sure how UA parser could
help?
Marek
On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>>
wrote:
> +1 "To try another way", but that should only be displayed if the user is
> requested to setup two-factor and there are more choices. If a user has
> selected to enable OTP through the account console (AIA) it should not be
> displayed.
>
> On Thu, 21 Nov 2019 at 15:24, Marek Posolda
<mposolda@redhat.com<mailto:mposolda@redhat.com>> wrote:
>
>> On 21. 11. 19 12:02, Marek Posolda wrote:
>> >
>> > I want to ask some feedback about the screen for the "Setup TOTP"
.
>> > I've created JIRA
https://issues.jboss.org/browse/KEYCLOAK-12168<https://clicktime.syman...
,
>> > which contains some screenshot of how currently the screen for the
>> > required action for "Setup OTP" looks like. In other words, this
is
>> > displayed to the user at the end of the authentication when he has
>> > "Setup TOTP" required action on him.
>> >
>> > Few questions:
>> >
>> > * Is the "Device name" appropriate label? Would something like
>> > "Authenticator App Label" be better?
>> >
>> > * Should it be more emphasized that "Authenticator App Label" is
not
>> > mandatory? IMO it is currently not very clear. Also there is
>> > nothing in the help-text about this input field. Maybe we can add
>> > another sentence to point 3 like "Optionally provide
Authenticator
>> > App Label as a reference." I am not very happy with that
sentence.
>> > Any better ideas?
>> >
>> > * Alternatively we can use separate screen for providing the
>> > "Authenticator App Label" . In other words, there will be
just
>> > single input for OTP code and than once user clicks "Submit"
and
>> > OTP code is successfully verified, there will be another screen
>> > where he can provide "Authenticator App Label" . It seems
Google
>> > is using separate screen for providing labels when user register
>> > Security Key.
>> >
>> > * Any better ideas?
>> >
>> > * We can possibly improve the old account console in similar manner.
>> > Currently it looks like in screenshot setup-otp-account-mgmt.png .
>> > Maybe we can at least change the label for "Device name" and
also
>> > add another sentence to the help text?
>> >
>> One more point: At the bottom of the page for register TOTP, we possibly
>> need the link "Try another way" or something like that. This link
will
>> be displayed just if user is currently trying to "Register 2nd factor
>> credential" because he is required to do so, and he has some more
>> alternative credential types to register (EG. WebAuthn).
>>
>> Marek
>>
>> > Thanks,
>> >
>> > Marek
>> >
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev<https://clicktim...
>>
>>
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev<https://clicktim...
6:37 a.m.
On Fri, 22 Nov 2019 at 12:12, Jan Lieskovsky <jlieskov(a)redhat.com> wrote:
On Fri, Nov 22, 2019 at 11:37 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> Auto-generated labels like "Phone 1", etc. just looks stupid. I would
> rather make the label optional for the first one, but mandatory for the
> second one.
I like this approach. Should we use some base / template name for the
first one,
something like "Default one-time token", rather than just allow blank name?
A default value has no meaning to the user - unless it is somehow generated
based on the actual device used. For OTP that is not possible, so should
just be empty. For WebAuthn I believe we can take something from the
registration metadata as I think it does include information about the
device.
> A second one can only be added through the account console
> anyways and the users can then add a label to the first one if they didn't
> already do it.
Then can add or should be required to add?
For second one it should be required.
> For OTP I would consider not asking for a label for the
> first one. For WebAuthn I would always ask for one. By the way doesn't the
> WebAuthn registration include details about the device? Can't the device
> name from that be used as the label?
>
It's possible. If (re)-using this information, should we ask the user for
approval to be
able to use it? (not to possibly leak something, they wouldn't want to be
used) Or just use it?
It's information about the device, not the user, and it's already in the
registered credential I think. In either case it's just a default value and
the user should be able to change it.
>
> and you are right. UA parser doesn't help as most will probably register
> from their desktop, not the phone, so would be the wrong device name.
>
> Device name or Phone name, either works to be honest. I'd say Phone is
> better as 99% will use an app on a phone, not on the desktop, but okay
> with
> Device name as well.
>
> In the new account console it shouldn't display "Device name", but
rather
> just have it as a label next to the credential-name, and it should use
> something like cards, not tables. So would be something like:
>
> -------------------------------------------------------
> Authenticator app [Samsung] [default]
> -------------------------------------------------------
> Authenticator app [My tablet]
> -------------------------------------------------------
> Security key [YubiCo]
> -------------------------------------------------------
>
Similar here, if we are able somehow to extract the information in the
square brackets
from the underlying device automagically, should we ask the user for the
approval to use it?
(since it would be displayed on the following auth screens later)
If we can extract a sensible label it should just be the default on the
form, where the user can change it if they want to,
>
>
>
> On Fri, 22 Nov 2019 at 10:56, Marek Posolda <mposolda(a)redhat.com> wrote:
>
> > On 22. 11. 19 10:36, Stian Thorgersen wrote:
> >
> > For "Device name" field. What about "Phone name" and
prefilling it with
> > the name of the phone? We have the UA parser thing right so can just use
> > the value from that?
> >
> > Hmm, but UA parser is used for parsing requests sent to Keycloak server
> > AFAIK? And in case of OTP, the phone doesn't send any requests and
> doesn't
> > directly communicate with Keycloak server. So not sure how UA parser
> could
> > help?
> >
> > Marek
> >
> >
> > On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen <sthorger(a)redhat.com>
> > wrote:
> >
> >> +1 "To try another way", but that should only be displayed if the
user
> is
> >> requested to setup two-factor and there are more choices. If a user has
> >> selected to enable OTP through the account console (AIA) it should not
> be
> >> displayed.
> >>
> >> On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda(a)redhat.com>
> wrote:
> >>
> >>> On 21. 11. 19 12:02, Marek Posolda wrote:
> >>> >
> >>> > I want to ask some feedback about the screen for the "Setup
TOTP" .
> >>> > I've created JIRA
https://issues.jboss.org/browse/KEYCLOAK-12168 ,
> >>> > which contains some screenshot of how currently the screen for the
> >>> > required action for "Setup OTP" looks like. In other
words, this is
> >>> > displayed to the user at the end of the authentication when he has
> >>> > "Setup TOTP" required action on him.
> >>> >
> >>> > Few questions:
> >>> >
> >>> > * Is the "Device name" appropriate label? Would
something like
> >>> > "Authenticator App Label" be better?
> >>> >
> >>> > * Should it be more emphasized that "Authenticator App
Label" is
> not
> >>> > mandatory? IMO it is currently not very clear. Also there is
> >>> > nothing in the help-text about this input field. Maybe we can
> add
> >>> > another sentence to point 3 like "Optionally provide
> Authenticator
> >>> > App Label as a reference." I am not very happy with that
> sentence.
> >>> > Any better ideas?
> >>> >
> >>> > * Alternatively we can use separate screen for providing the
> >>> > "Authenticator App Label" . In other words, there
will be just
> >>> > single input for OTP code and than once user clicks
"Submit" and
> >>> > OTP code is successfully verified, there will be another
screen
> >>> > where he can provide "Authenticator App Label" . It
seems Google
> >>> > is using separate screen for providing labels when user
register
> >>> > Security Key.
> >>> >
> >>> > * Any better ideas?
> >>> >
> >>> > * We can possibly improve the old account console in similar
> manner.
> >>> > Currently it looks like in screenshot
> setup-otp-account-mgmt.png .
> >>> > Maybe we can at least change the label for "Device
name" and
> also
> >>> > add another sentence to the help text?
> >>> >
> >>> One more point: At the bottom of the page for register TOTP, we
> possibly
> >>> need the link "Try another way" or something like that. This
link will
> >>> be displayed just if user is currently trying to "Register 2nd
factor
> >>> credential" because he is required to do so, and he has some more
> >>> alternative credential types to register (EG. WebAuthn).
> >>>
> >>> Marek
> >>>
> >>> > Thanks,
> >>> >
> >>> > Marek
> >>> >
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>>
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
4:55 a.m.
On 22. 11. 19 10:34, Stian Thorgersen wrote:
+1 "To try another way", but that should only be displayed
if the user
is requested to setup two-factor and there are more choices. If a user
has selected to enable OTP through the account console (AIA) it should
not be displayed.
Yes, exactly. I count with that to only display "Try another way" under
those circumstances.
Marek
On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
On 21. 11. 19 12:02, Marek Posolda wrote:
>
> I want to ask some feedback about the screen for the "Setup TOTP" .
> I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 ,
> which contains some screenshot of how currently the screen for the
> required action for "Setup OTP" looks like. In other words, this is
> displayed to the user at the end of the authentication when he has
> "Setup TOTP" required action on him.
>
> Few questions:
>
> * Is the "Device name" appropriate label? Would something like
> "Authenticator App Label" be better?
>
> * Should it be more emphasized that "Authenticator App Label"
is not
> mandatory? IMO it is currently not very clear. Also there is
> nothing in the help-text about this input field. Maybe we
can add
> another sentence to point 3 like "Optionally provide
Authenticator
> App Label as a reference." I am not very happy with that
sentence.
> Any better ideas?
>
> * Alternatively we can use separate screen for providing the
> "Authenticator App Label" . In other words, there will be just
> single input for OTP code and than once user clicks "Submit" and
> OTP code is successfully verified, there will be another screen
> where he can provide "Authenticator App Label" . It seems Google
> is using separate screen for providing labels when user register
> Security Key.
>
> * Any better ideas?
>
> * We can possibly improve the old account console in similar
manner.
> Currently it looks like in screenshot
setup-otp-account-mgmt.png .
> Maybe we can at least change the label for "Device name" and
also
> add another sentence to the help text?
>
One more point: At the bottom of the page for register TOTP, we
possibly
need the link "Try another way" or something like that. This link
will
be displayed just if user is currently trying to "Register 2nd factor
credential" because he is required to do so, and he has some more
alternative credential types to register (EG. WebAuthn).
Marek
> Thanks,
>
> Marek
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:30 a.m.
On Thu, 21 Nov 2019 at 12:07, Marek Posolda <mposolda(a)redhat.com> wrote:
I want to ask some feedback about the screen for the "Setup
TOTP" . I've
created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 , which
contains some screenshot of how currently the screen for the required
action for "Setup OTP" looks like. In other words, this is displayed to
the user at the end of the authentication when he has "Setup TOTP"
required action on him.
Few questions:
* Is the "Device name" appropriate label? Would something like
"Authenticator App Label" be better?
I'm not too keen on either. Maybe "Phone name"?
* Should it be more emphasized that "Authenticator App Label" is not
mandatory? IMO it is currently not very clear. Also there is nothing
in the help-text about this input field. Maybe we can add another
sentence to point 3 like "Optionally provide Authenticator App Label
as a reference." I am not very happy with that sentence. Any better
ideas?
What about only asking for a label if there is already one registered? Most
users will only use one and it seems unnecessary to ask them to add a label.
* Alternatively we can use separate screen for providing the
"Authenticator App Label" . In other words, there will be just
single input for OTP code and than once user clicks "Submit" and OTP
code is successfully verified, there will be another screen where he
can provide "Authenticator App Label" . It seems Google is using
separate screen for providing labels when user register Security Key.
I prefer single screen, but see above.
* Any better ideas?
* We can possibly improve the old account console in similar manner.
Currently it looks like in screenshot setup-otp-account-mgmt.png .
Maybe we can at least change the label for "Device name" and also
add another sentence to the help text?
Old account console can just stay as is. We should focus improvements on
new console.
Thanks,
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:54 a.m.
On 22. 11. 19 10:30, Stian Thorgersen wrote:
On Thu, 21 Nov 2019 at 12:07, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
I want to ask some feedback about the screen for the "Setup TOTP"
. I've
created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 , which
contains some screenshot of how currently the screen for the required
action for "Setup OTP" looks like. In other words, this is
displayed to
the user at the end of the authentication when he has "Setup TOTP"
required action on him.
Few questions:
* Is the "Device name" appropriate label? Would something like
"Authenticator App Label" be better?
I'm not too keen on either. Maybe "Phone name"?
That could be fine,
but aren't also different possibilities for generate
OTP codes than sticking to "phone" ? The "Device name" is at least
slightly more generic, but I am not sure if it is the great label either...
* Should it be more emphasized that "Authenticator App Label" is not
mandatory? IMO it is currently not very clear. Also there is
nothing
in the help-text about this input field. Maybe we can add another
sentence to point 3 like "Optionally provide Authenticator App
Label
as a reference." I am not very happy with that sentence. Any
better
ideas?
What about only asking for a label if there is already one registered?
Most users will only use one and it seems unnecessary to ask them to
add a label.
Yes, but let's assume this scenario:
- User registers first OTP. Keycloak deosn't allow him to add label
- He user wants to register the second OTP. So he registers the second
and added the label like "My samsung phone"
- Now he wants to authenticate. So Keycloak will allow him to choose
between "My samsung phone" and <nothing> because the first OTP didn't
have any label and didn't allow user to choose any label when he was
registering it.
To improve slightly on this, we have JIRA for generating some kind of
"default" labels, which will be used in case that no label is provided,
and also for migration from previous version where wasn't possibility to
add labels: https://issues.jboss.org/browse/KEYCLOAK-11907 . So there
will be some default labels like "Phone 1" or "Device 1", which will
at
least allow user to differentiate.
* Alternatively we can use separate screen for providing the
"Authenticator App Label" . In other words, there will be just
single input for OTP code and than once user clicks "Submit"
and OTP
code is successfully verified, there will be another screen
where he
can provide "Authenticator App Label" . It seems Google is using
separate screen for providing labels when user register
Security Key.
I prefer single screen, but see above.
* Any better ideas?
* We can possibly improve the old account console in similar manner.
Currently it looks like in screenshot setup-otp-account-mgmt.png .
Maybe we can at least change the label for "Device name" and also
add another sentence to the help text?
Old account console can just stay as is. We should focus improvements
on new console.
Ok
Marek
Thanks,
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:49 a.m.
On Fri, Nov 22, 2019 at 10:55 AM Marek Posolda <mposolda(a)redhat.com> wrote:
On 22. 11. 19 10:30, Stian Thorgersen wrote:
>
>
> On Thu, 21 Nov 2019 at 12:07, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> I want to ask some feedback about the screen for the "Setup TOTP"
> . I've
> created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 , which
> contains some screenshot of how currently the screen for the required
> action for "Setup OTP" looks like. In other words, this is
> displayed to
> the user at the end of the authentication when he has "Setup TOTP"
> required action on him.
>
> Few questions:
>
> * Is the "Device name" appropriate label? Would something like
> "Authenticator App Label" be better?
>
>
> I'm not too keen on either. Maybe "Phone name"?
That could be fine, but aren't also different possibilities for generate
OTP codes than sticking to "phone" ? The "Device name" is at least
slightly more generic, but I am not sure if it is the great label either...
What about 'Unique Phone Identifier' or 'Unique Access Identifier'? (for
the case
'Phone' is not generic enough)
Identifier isn't great either, but sounds better to me than 'Recognizer',
'Differentiator', or
'Distinguisher' (& searching for available synonyms didn't find
something,
which would be more user-friendly than identifier)
>
>
> * Should it be more emphasized that "Authenticator App Label" is
not
> mandatory? IMO it is currently not very clear. Also there is
> nothing
> in the help-text about this input field. Maybe we can add another
> sentence to point 3 like "Optionally provide Authenticator App
> Label
> as a reference." I am not very happy with that sentence. Any
> better
> ideas?
>
>
> What about only asking for a label if there is already one registered?
> Most users will only use one and it seems unnecessary to ask them to
> add a label.
Yes, but let's assume this scenario:
- User registers first OTP. Keycloak deosn't allow him to add label
- He user wants to register the second OTP. So he registers the second
and added the label like "My samsung phone"
- Now he wants to authenticate. So Keycloak will allow him to choose
between "My samsung phone" and <nothing> because the first OTP
didn't
have any label and didn't allow user to choose any label when he was
registering it.
To improve slightly on this, we have JIRA for generating some kind of
"default" labels, which will be used in case that no label is provided,
and also for migration from previous version where wasn't possibility to
add labels: https://issues.jboss.org/browse/KEYCLOAK-11907 . So there
will be some default labels like "Phone 1" or "Device 1", which will
at
least allow user to differentiate.
Yet, parallel to the above, there should be another JIRA for validating, if
the provided
label is unique or not, yet (accept if unique, or ask user to provide
another one, if
matching previous entry). This is needed, the user to be able to choose the
OTP authenticator in an unambiguous way on the following screens, IMHO.
>
> * Alternatively we can use separate screen for providing the
> "Authenticator App Label" . In other words, there will be just
> single input for OTP code and than once user clicks "Submit"
> and OTP
> code is successfully verified, there will be another screen
> where he
> can provide "Authenticator App Label" . It seems Google is using
> separate screen for providing labels when user register
> Security Key.
>
>
> I prefer single screen, but see above.
>
>
> * Any better ideas?
>
> * We can possibly improve the old account console in similar
manner.
> Currently it looks like in screenshot setup-otp-account-mgmt.png
.
> Maybe we can at least change the label for "Device name" and also
> add another sentence to the help text?
>
>
> Old account console can just stay as is. We should focus improvements
> on new console.
Ok
Marek
>
> Thanks,
>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
6:34 a.m.
On Fri, 22 Nov 2019 at 11:49, Jan Lieskovsky <jlieskov(a)redhat.com> wrote:
On Fri, Nov 22, 2019 at 10:55 AM Marek Posolda <mposolda(a)redhat.com>
wrote:
> On 22. 11. 19 10:30, Stian Thorgersen wrote:
> >
> >
> > On Thu, 21 Nov 2019 at 12:07, Marek Posolda <mposolda(a)redhat.com
> > <mailto:mposolda@redhat.com>> wrote:
> >
> > I want to ask some feedback about the screen for the "Setup TOTP"
> > . I've
> > created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 , which
> > contains some screenshot of how currently the screen for the
> required
> > action for "Setup OTP" looks like. In other words, this is
> > displayed to
> > the user at the end of the authentication when he has "Setup
TOTP"
> > required action on him.
> >
> > Few questions:
> >
> > * Is the "Device name" appropriate label? Would something like
> > "Authenticator App Label" be better?
> >
> >
> > I'm not too keen on either. Maybe "Phone name"?
> That could be fine, but aren't also different possibilities for generate
> OTP codes than sticking to "phone" ? The "Device name" is at
least
> slightly more generic, but I am not sure if it is the great label
> either...
>
What about 'Unique Phone Identifier' or 'Unique Access Identifier'? (for
the case
'Phone' is not generic enough)
Identifier isn't great either, but sounds better to me than 'Recognizer',
'Differentiator', or
'Distinguisher' (& searching for available synonyms didn't find
something,
which would be more user-friendly than identifier)
Name is better than identifier. So I would stick with Device/Phone name
> >
> >
> > * Should it be more emphasized that "Authenticator App Label"
is
> not
> > mandatory? IMO it is currently not very clear. Also there is
> > nothing
> > in the help-text about this input field. Maybe we can add
> another
> > sentence to point 3 like "Optionally provide Authenticator App
> > Label
> > as a reference." I am not very happy with that sentence. Any
> > better
> > ideas?
> >
> >
> > What about only asking for a label if there is already one registered?
> > Most users will only use one and it seems unnecessary to ask them to
> > add a label.
>
> Yes, but let's assume this scenario:
>
> - User registers first OTP. Keycloak deosn't allow him to add label
> - He user wants to register the second OTP. So he registers the second
> and added the label like "My samsung phone"
> - Now he wants to authenticate. So Keycloak will allow him to choose
> between "My samsung phone" and <nothing> because the first OTP
didn't
> have any label and didn't allow user to choose any label when he was
> registering it.
>
> To improve slightly on this, we have JIRA for generating some kind of
> "default" labels, which will be used in case that no label is provided,
> and also for migration from previous version where wasn't possibility to
> add labels: https://issues.jboss.org/browse/KEYCLOAK-11907 . So there
> will be some default labels like "Phone 1" or "Device 1", which
will at
> least allow user to differentiate.
>
Yet, parallel to the above, there should be another JIRA for validating,
if the provided
label is unique or not, yet (accept if unique, or ask user to provide
another one, if
matching previous entry). This is needed, the user to be able to choose the
OTP authenticator in an unambiguous way on the following screens, IMHO.
There really doesn't need to be validation that the label is unique. IMO it
shouldn't have to be as it's up to the user to decide. The label is only
there to give the user a hint, nothing else.
>
> >
> > * Alternatively we can use separate screen for providing the
> > "Authenticator App Label" . In other words, there will be
just
> > single input for OTP code and than once user clicks "Submit"
> > and OTP
> > code is successfully verified, there will be another screen
> > where he
> > can provide "Authenticator App Label" . It seems Google is
using
> > separate screen for providing labels when user register
> > Security Key.
> >
> >
> > I prefer single screen, but see above.
> >
> >
> > * Any better ideas?
> >
> > * We can possibly improve the old account console in similar
> manner.
> > Currently it looks like in screenshot
> setup-otp-account-mgmt.png .
> > Maybe we can at least change the label for "Device name" and
> also
> > add another sentence to the help text?
> >
> >
> > Old account console can just stay as is. We should focus improvements
> > on new console.
>
> Ok
>
> Marek
>
> >
> > Thanks,
> >
> > Marek
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
1613
days inactive
1617
days old
18 comments
5 participants
participants (5)
-
Jan Lieskovsky -
Marek Posolda -
Stan Silvert -
Stian Thorgersen -
乗松隆志 / NORIMATSU,TAKASHI