[keycloak-dev] Usability: Improve screen for setup TOTP

Stian Thorgersen sthorger at redhat.com
Fri Nov 22 06:37:55 EST 2019 

On Fri, 22 Nov 2019 at 12:12, Jan Lieskovsky <jlieskov at redhat.com> wrote:

>
>
> On Fri, Nov 22, 2019 at 11:37 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Auto-generated labels like "Phone 1", etc. just looks stupid. I would
>> rather make the label optional for the first one, but mandatory for the
>> second one.
>
>
> I like this approach. Should we use some base / template name for the
> first one,
> something like "Default one-time token", rather than just allow blank name?
>

A default value has no meaning to the user - unless it is somehow generated
based on the actual device used. For OTP that is not possible, so should
just be empty. For WebAuthn I believe we can take something from the
registration metadata as I think it does include information about the
device.


>
>
>
>> A second one can only be added through the account console
>> anyways and the users can then add a label to the first one if they didn't
>> already do it.
>
>
> Then can add or should be required to add?
>

For second one it should be required.


>
>
>
>> For OTP I would consider not asking for a label for the
>> first one. For WebAuthn I would always ask for one. By the way doesn't the
>> WebAuthn registration include details about the device? Can't the device
>> name from that be used as the label?
>>
>
> It's possible. If (re)-using this information, should we ask the user for
> approval to be
> able to use it? (not to possibly leak something, they wouldn't want to be
> used) Or just use it?
>

It's information about the device, not the user, and it's already in the
registered credential I think. In either case it's just a default value and
the user should be able to change it.


>
>
>>
>> and you are right. UA parser doesn't help as most will probably register
>> from their desktop, not the phone, so would be the wrong device name.
>>
>> Device name or Phone name, either works to be honest. I'd say Phone is
>> better as 99% will use an app on a phone, not on the desktop, but okay
>> with
>> Device name as well.
>>
>> In the new account console it shouldn't display "Device name", but rather
>> just have it as a label next to the credential-name, and it should use
>> something like cards, not tables. So would be something like:
>>
>> -------------------------------------------------------
>> Authenticator app [Samsung]        [default]
>> -------------------------------------------------------
>> Authenticator app [My tablet]
>> -------------------------------------------------------
>> Security key [YubiCo]
>> -------------------------------------------------------
>>
>
> Similar here, if we are able somehow to extract the information in the
> square brackets
> from the underlying device automagically, should we ask the user for the
> approval to use it?
> (since it would be displayed on the following auth screens later)
>

If we can extract a sensible label it should just be the default on the
form, where the user can change it if they want to,


>
>
>
>>
>>
>>
>> On Fri, 22 Nov 2019 at 10:56, Marek Posolda <mposolda at redhat.com> wrote:
>>
>> > On 22. 11. 19 10:36, Stian Thorgersen wrote:
>> >
>> > For "Device name" field. What about "Phone name" and prefilling it with
>> > the name of the phone? We have the UA parser thing right so can just use
>> > the value from that?
>> >
>> > Hmm, but UA parser is used for parsing requests sent to Keycloak server
>> > AFAIK? And in case of OTP, the phone doesn't send any requests and
>> doesn't
>> > directly communicate with Keycloak server. So not sure how UA parser
>> could
>> > help?
>> >
>> > Marek
>> >
>> >
>> > On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen <sthorger at redhat.com>
>> > wrote:
>> >
>> >> +1 "To try another way", but that should only be displayed if the user
>> is
>> >> requested to setup two-factor and there are more choices. If a user has
>> >> selected to enable OTP through the account console (AIA) it should not
>> be
>> >> displayed.
>> >>
>> >> On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda at redhat.com>
>> wrote:
>> >>
>> >>> On 21. 11. 19 12:02, Marek Posolda wrote:
>> >>> >
>> >>> > I want to ask some feedback about the screen for the "Setup TOTP" .
>> >>> > I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 ,
>> >>> > which contains some screenshot of how currently the screen for the
>> >>> > required action for "Setup OTP" looks like. In other words, this is
>> >>> > displayed to the user at the end of the authentication when he has
>> >>> > "Setup TOTP" required action on him.
>> >>> >
>> >>> > Few questions:
>> >>> >
>> >>> >   * Is the "Device name" appropriate label? Would something like
>> >>> >     "Authenticator App Label" be better?
>> >>> >
>> >>> >   * Should it be more emphasized that "Authenticator App Label" is
>> not
>> >>> >     mandatory? IMO it is currently not very clear. Also there is
>> >>> >     nothing in the help-text about this input field. Maybe we can
>> add
>> >>> >     another sentence to point 3 like "Optionally provide
>> Authenticator
>> >>> >     App Label as a reference." I am not very happy with that
>> sentence.
>> >>> >     Any better ideas?
>> >>> >
>> >>> >   * Alternatively we can use separate screen for providing the
>> >>> >     "Authenticator App Label" . In other words, there will be just
>> >>> >     single input for OTP code and than once user clicks "Submit" and
>> >>> >     OTP code is successfully verified, there will be another screen
>> >>> >     where he can provide "Authenticator App Label" . It seems Google
>> >>> >     is using separate screen for providing labels when user register
>> >>> >     Security Key.
>> >>> >
>> >>> >   * Any better ideas?
>> >>> >
>> >>> >   * We can possibly improve the old account console in similar
>> manner.
>> >>> >     Currently it looks like in screenshot
>> setup-otp-account-mgmt.png .
>> >>> >     Maybe we can at least change the label for "Device name" and
>> also
>> >>> >     add another sentence to the help text?
>> >>> >
>> >>> One more point: At the bottom of the page for register TOTP, we
>> possibly
>> >>> need the link "Try another way" or something like that. This link will
>> >>> be displayed just if user is currently trying to "Register 2nd factor
>> >>> credential" because he is required to do so, and he has some more
>> >>> alternative credential types to register (EG. WebAuthn).
>> >>>
>> >>> Marek
>> >>>
>> >>> > Thanks,
>> >>> >
>> >>> > Marek
>> >>> >
>> >>>
>> >>> _______________________________________________
>> >>> keycloak-dev mailing list
>> >>> keycloak-dev at lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>>
>> >>>
>> >
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>

More information about the keycloak-dev mailing list