[keycloak-dev] Usability: Improve screen for setup TOTP

Marek Posolda mposolda at redhat.com
Fri Nov 22 03:14:28 EST 2019 

On 21. 11. 19 22:22, Stan Silvert wrote:
> On 11/21/2019 9:20 AM, Marek Posolda wrote:
>> On 21. 11. 19 12:02, Marek Posolda wrote:
>>> I want to ask some feedback about the screen for the "Setup TOTP" .
>>> I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 ,
>>> which contains some screenshot of how currently the screen for the
>>> required action for "Setup OTP" looks like. In other words, this is
>>> displayed to the user at the end of the authentication when he has
>>> "Setup TOTP" required action on him.
>>>
>>> Few questions:
>>>
>>>     * Is the "Device name" appropriate label? Would something like
>>>       "Authenticator App Label" be better?
> I think Device Name is fine.  You could put placeholder text inside the
> field that says, "My Device".  This would make it clear what it is for.

Maybe. I think Stian had some issues with "Device Name" .

I see that in some cases the "Device Name" is probably fine. For example 
if you have 2 phones "Xiaomi" and "Samsung" and you have Google 
Authenticator installed on both phones, then you can use phone as Device 
name as an authenticator. However there are some more use-cases for OTP 
though, like software authenticators etc. AFAIR that was main argument 
why "Device Name" is not so great.

But thanks for the feedback. I am curious for more feedback around this.

>>>     * Should it be more emphasized that "Authenticator App Label" is not
>>>       mandatory? IMO it is currently not very clear. Also there is
>>>       nothing in the help-text about this input field. Maybe we can add
>>>       another sentence to point 3 like "Optionally provide Authenticator
>>>       App Label as a reference." I am not very happy with that sentence.
>>>       Any better ideas?
> I wouldn't count on the user reading and comprehending what is in that
> text.  He will probably just skim that text.  But it doesn't hurt to
> explain a little more anyway.  Suggestion for second sentence, "You can
> optionally provide a Device Name to help you manage your OTP devices.
I think that is much better than my sentence. Thanks!
>
> In addition, label the first field "One-time Code".  It currently has no
> label.  Second field can be labeled "Device Name (optional)".
>
> Normally, we use an asterisk to denote required vs. not required. Then
> you have something like:
> "* = Required fields" as a key.  But with only two fields I think that
> would be overkill.  So just putting "optional" in parens seems best.
Thanks, I was also thinking about adding label to both options and then 
either use asterisk around "One-time Code" or instead use something like 
"Device Name (optional)" on the second field. I think we will probably 
go that way, unless there is better suggestion.
>>>     * Alternatively we can use separate screen for providing the
>>>       "Authenticator App Label" . In other words, there will be just
>>>       single input for OTP code and than once user clicks "Submit" and
>>>       OTP code is successfully verified, there will be another screen
>>>       where he can provide "Authenticator App Label" . It seems Google
>>>       is using separate screen for providing labels when user register
>>>       Security Key.
>>>
>>>     * Any better ideas?
>>>
>>>     * We can possibly improve the old account console in similar manner.
>>>       Currently it looks like in screenshot setup-otp-account-mgmt.png .
>>>       Maybe we can at least change the label for "Device name" and also
>>>       add another sentence to the help text?
>>>
>> One more point: At the bottom of the page for register TOTP, we possibly
>> need the link "Try another way" or something like that. This link will
>> be displayed just if user is currently trying to "Register 2nd factor
>> credential" because he is required to do so, and he has some more
>> alternative credential types to register (EG. WebAuthn).
> If the user is unable to complete the setup process he is stuck.  At the
> very least, the user needs somewhere to go back to.  You could make him
> start the login process over.  From there he might be able to choose a
> social login.

BTV. That is another thing, which is planned. We will allow on all forms 
to easily restart login process from the beginning 
https://issues.jboss.org/browse/KEYCLOAK-12180 .

Marek

>
> If "another way" is available then I agree that it should be provided as
> an option.
>
>> Marek
>>
>>> Thanks,
>>>
>>> Marek
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list