[keycloak-dev] Revert changing from Google Authenticator to FreeOTP

Stian Thorgersen stian at redhat.com
Mon Oct 13 13:18:24 EDT 2014



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, 13 October, 2014 4:32:05 PM
> Subject: Re: [keycloak-dev] Revert changing from Google Authenticator to	FreeOTP
> 
> Why not just change the pages to link to Google Authenticator *AND*
> FreeOTP?

That's a decent compromise. I just don't want existing developers and their users to believe Google Authenticator support is gone.

> 
> I don't understand what you mean by  we need to add support for multiple
> OTP providers.  Google Authenticator and FreeOTP both already work with
> what we currently have.

The protocol is the same, but configuration instructions for users are different.

I think we should have a multi-factor authenticator SPI (or just baked it into the authenticator SPI I mentioned before) for this. As well as be able to authenticate it needs to be able to modify the login-totp form and configuration instructions. I think it should be possible to configure what multi-factor authenticators should be available for a realm. Then if there is more than one option users can first select which one they want to use, before being given instructions on how to install and configure the specific mechanism.

This SPI would also allow using other things that the standard OTP protocol. For example SMS/email, hardware tokens (i.e. Yubikey). Have a look at http://vimeo.com/72978755 it's pretty cool.

> 
> On 10/13/2014 2:42 AM, Stian Thorgersen wrote:
> > I'm not a big fan of the recent change from Google Authenticator to
> > FreeOTP.
> >
> > * Google Authenticator is far more widely used than FreeOTP
> > * We have existing users that use Google Authenticator (we know it works
> > for both, but they and their users don't)
> >
> > To support FreeOTP we need to add support for multiple OTP providers so
> > developers/users themselves can choose between the providers, not us.
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list