[aerogear-dev] OTP.js
Sebastien Blanc
scm.blanc at gmail.com
Wed May 1 13:37:39 EDT 2013
On Wed, May 1, 2013 at 4:28 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
>
>
> On Wednesday, May 1, 2013 at 10:01 AM, Sebastien Blanc wrote:
>
> > Interesting !
> > A few questions (and sorry for maybe the silly questions) :
> >
> > * In the gist, it's mentioned that the secret is stored in the Session
> Local, a secret is supposed to be reused, right ? But with session Local,
> the secret will be deleted after each session, did you maybe mean Local
> Storage ? Or does the secret is passed at each new session (which feels
> strange...) ?
> >
> >
> > * If the secret is stored on the browser and can an user login on this
> webapp when using another device (has to register again) ?
> Kris nailed these questions.
> >
> > * The secret is passed over the network the first time, isn't that
> dangerous ;) ?
> Sure! Everything in the world is dangerous, even 2 factor authentication (
> http://www.schneier.com/blog/archives/2005/03/the_failure_of.html) and
> I'm aware of it. We already have a discussion with iOS team , because the
> secret is sent through the network. But QRCode scanners would be complex
> into iOS land, we decided to have working code and improve it later.
>
> How the secret will be provided is not a big deal to the initial release,
> my goals are:
>
> - Generate the secret
> - Generate valid OTPs
>
> At the end of the day, developers will choose how they will provide the
> secret: images, captchas, voice recognition, piece of paper. We're just
> trying to provide examples about how to send it.
>
> If you look at aerogear-otp-java there's no QRCode there and that's the
> idea, you choose.
> >
> >
> > * Option 4, with behind the scene flow, avoid the users to switch
> between an OTP and a login screen, right ? That seems a nice option
> >
> > * Is something like image based authentication maybe an option to
> investigate (identify the cat, the boat etc ...)
> http://www.marketwire.com/press-release/Confident-Technologies-Delivers-Image-Based-Multifactor-Authentication-Strengthen-Passwords-1342854.htm
> Looks really interesting Sebi, I didn't get a chance to test anything
> close to it. You can add features, comments and concerns here if you want
> https://github.com/aerogear/aerogear.org/pull/56
> >
> >
>
Sure I will try to update the PR, I also find on this same site this demo,
looks nice http://confidenttechnologies.com/demos/mobile-authentication-demo
> > Sebi
> Thanks for your review.
> >
> >
> >
> > On Wed, Apr 24, 2013 at 5:59 PM, Matthias Wessendorf <matzew at apache.org(mailto:
> matzew at apache.org)> wrote:
> > > Nice!!!
> > >
> > >
> > > On Wednesday, April 24, 2013, Bruno Oliveira wrote:
> > > > Morning slackers, I had a meeting with Kris, Luke and Passos about
> the painless way to provide an OTP implementation for JavaScript.
> > > >
> > > > https://gist.github.com/abstractj/d618faceee388a9d403a
> > > >
> > > > Basically the scenarios 1 and 4 were chosen to be implemented.
> Scenarios 2 & 3 would provide bad user experience.
> > > >
> > > > I'll start to file some Jiras to myself, if you have any addition,
> let me know.
> > > >
> > > >
> > > > --
> > > > "The measure of a man is what he does with power" - Plato
> > > > -
> > > > @abstractj
> > > > -
> > > > Volenti Nihil Difficile
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > aerogear-dev mailing list
> > > > aerogear-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > >
> > >
> > >
> > > --
> > > Matthias Wessendorf
> > >
> > > blog: http://matthiaswessendorf.wordpress.com/
> > > sessions: http://www.slideshare.net/mwessendorf
> > > twitter: http://twitter.com/mwessendorf
> > >
> > > _______________________________________________
> > > aerogear-dev mailing list
> > > aerogear-dev at lists.jboss.org (mailto:aerogear-dev at lists.jboss.org)
> > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org (mailto:aerogear-dev at lists.jboss.org)
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130501/bb60f2e5/attachment.html
More information about the aerogear-dev
mailing list