[aerogear-dev] OTP.js
Kris Borchers
kris at redhat.com
Wed May 1 09:09:47 EDT 2013
On May 1, 2013, at 8:01 AM, Sebastien Blanc <scm.blanc at gmail.com> wrote:
> Interesting !
> A few questions (and sorry for maybe the silly questions) :
>
> * In the gist, it's mentioned that the secret is stored in the Session Local, a secret is supposed to be reused, right ? But with session Local, the secret will be deleted after each session, did you maybe mean Local Storage ? Or does the secret is passed at each new session (which feels strange...) ?
I assume he meant the SessionLocal adapter for DataManager, using the localStorage side of it.
>
> * If the secret is stored on the browser and can an user login on this webapp when using another device (has to register again) ?
Yes, I believe another registration would have to happen but is that any different then if I had 2 soft tokens for the VPN? The would both have to be registered, right?
>
> * The secret is passed over the network the first time, isn't that dangerous ;) ?
Yes, just like storing the secret in localStorage isn't exactly safe either. We're still exploring right now. I think Bruno plans to start putting some code together and then we'll review and see if we can find ways to make it more secure. JS is hard! ;)
>
> * Option 4, with behind the scene flow, avoid the users to switch between an OTP and a login screen, right ? That seems a nice option
Agree
>
> * Is something like image based authentication maybe an option to investigate (identify the cat, the boat etc ...) http://www.marketwire.com/press-release/Confident-Technologies-Delivers-Image-Based-Multifactor-Authentication-Strengthen-Passwords-1342854.htm
Hmmm, I didn't think about that. I like that much more than captcha. We would have to think about if we supply images, the app dev supplies them, both? I would be interested in exploring that … one issue though is that would not be friendly to the visually impaired so probably not the best option now that I think more about it. Maybe pairing with audio could be an option?
>
> Sebi
>
>
>
> On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <matzew at apache.org> wrote:
> Nice!!!
>
>
> On Wednesday, April 24, 2013, Bruno Oliveira wrote:
> Morning slackers, I had a meeting with Kris, Luke and Passos about the painless way to provide an OTP implementation for JavaScript.
>
> https://gist.github.com/abstractj/d618faceee388a9d403a
>
> Basically the scenarios 1 and 4 were chosen to be implemented. Scenarios 2 & 3 would provide bad user experience.
>
> I'll start to file some Jiras to myself, if you have any addition, let me know.
>
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130501/2291c54b/attachment.html
More information about the aerogear-dev
mailing list