[keycloak-dev] Why do I have to enter the OTP?
Juraci Paixão Kröhling
juraci at kroehling.de
Wed Jan 14 02:36:54 EST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/13/2015 05:11 PM, Bill Burke wrote:
> Why does a user have to enter in the OTP generated by their mobile
> device? Wouldn't it be cooler if the steps were:
>
> 1. Enter in username password in the browser 2. Browser blocks and
> wait for... 3. Press a button on your OTP iphone app 4. iphone app
> sends an HTTP message to Keycloak with username and generated OTP
> (in background) 5. Keycloak sees if a browser app is waiting for
> OTP verification, then verifies OTP if so.
How do you ensure that this browser is the same as the real user, and
not from an attacker?
> 6. Browser unblocks and lets user in.
>
> Now, the user doesn't ever have to enter the OTP (and mess it up
> like I do all the time). They just need their mobile device.
I haven't seen any mention of SQRL on this list yet, so, if you are
looking for a way to make the login process "easier" to the final user
(easier being veeery subjective here), then this might be of interest:
https://www.grc.com/sqrl/sqrl.htm
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUthyWAAoJEDnJtskdmzLMU7cIAIQjTD3mMP2FqIpy/0tc82rs
jgjNqZbtKDIMbBPPhSs0jMIoVfqSY/2ybIxMLpXBW2kNLKxVKrz6mY7bbifRlXbK
uvDh8t6LXM45Q6sEetmnTCgxnD1AtbkypJh0RZH6KXUzshQVPqfPaPqCz79p5V32
87XnAUU9hFXL4ECOFSKHOg8KZIkXYwFZb72MmjPWkh6/m85VkDeLvSRtFYczobJZ
Joe71n/rhm+G+pM2uq8jONslKQeqvIluzp6tw3l0CVpez8R/KI/yA/4rnhd4Lj5m
Dkl/0Gha/Q50nyswTAM22jrN8StXvjARCCH8RmqX6DdB6fADCFTVtzloa44WcNM=
=OFPT
-----END PGP SIGNATURE-----
More information about the keycloak-dev
mailing list