[keycloak-dev] Usability: Improve screen for setup TOTP

Stian Thorgersen sthorger at redhat.com
Fri Nov 22 06:40:52 EST 2019 

On Fri, 22 Nov 2019 at 12:37, Marek Posolda <mposolda at redhat.com> wrote:

> On 22. 11. 19 12:13, Jan Lieskovsky wrote:
>
>
>
> On Fri, Nov 22, 2019 at 11:37 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Auto-generated labels like "Phone 1", etc. just looks stupid. I would
>> rather make the label optional for the first one, but mandatory for the
>> second one.
>
>
> I like this approach. Should we use some base / template name for the
> first one,
> something like "Default one-time token", rather than just allow blank name?
>
> Yes, so if "device name" will be optional (or even not present) for the
> first OTP, and we don't want to auto-generate anything, then we can always
> end in situations when some of the OTP doesn't have label. Then during
> authentication, display nothing or display UUID seems to be even more
> stupid than display something auto-generated like "Phone 1" IMO :) So
> question is what to display? Not sure that "Default" works, as the OTP
> without label doesn't necessarily be the default one... Right now, I can't
> come with anything better than "Phone 1" TBH... ;)
>

I'm assuming you are now talking about the login otp form. In that I think
it should just say "Unnamed" in grey.


>
>
>
>> A second one can only be added through the account console
>> anyways and the users can then add a label to the first one if they didn't
>> already do it.
>
>
> Then can add or should be required to add?
>
> Yes, it will be nice if we can "force" user to add label to first OTP
> after he registers second OTP. But I doubt it will be possible to do it in
> nice and friendly way...
>

I don't see a need for that - the user is in the account console and can
see the unnamed OTP and can easily rename it from there.

>
>
>
>> For OTP I would consider not asking for a label for the
>> first one. For WebAuthn I would always ask for one. By the way doesn't the
>> WebAuthn registration include details about the device? Can't the device
>> name from that be used as the label?
>>
>
> It's possible. If (re)-using this information, should we ask the user for
> approval to be
> able to use it? (not to possibly leak something, they wouldn't want to be
> used) Or just use it?
>
> I think it's not reliably possible to retrieve details about device from
> the WebAuthn registration. At least in a way that device info is possible
> to use as a label. CCing Takashi Norimatsu, who can possibly confirm. I
> agree that label should be mandatory during WebAuthn registration and it is
> how it works today. Also Google works this way and requires some label to
> be added AFAIK.
>
> Marek
>
>
>
>>
>> and you are right. UA parser doesn't help as most will probably register
>> from their desktop, not the phone, so would be the wrong device name.
>>
>> Device name or Phone name, either works to be honest. I'd say Phone is
>> better as 99% will use an app on a phone, not on the desktop, but okay
>> with
>> Device name as well.
>>
>> In the new account console it shouldn't display "Device name", but rather
>> just have it as a label next to the credential-name, and it should use
>> something like cards, not tables. So would be something like:
>>
>> -------------------------------------------------------
>> Authenticator app [Samsung]        [default]
>> -------------------------------------------------------
>> Authenticator app [My tablet]
>> -------------------------------------------------------
>> Security key [YubiCo]
>> -------------------------------------------------------
>>
>
> Similar here, if we are able somehow to extract the information in the
> square brackets
> from the underlying device automagically, should we ask the user for the
> approval to use it?
> (since it would be displayed on the following auth screens later)
>
>
>
>>
>>
>>
>> On Fri, 22 Nov 2019 at 10:56, Marek Posolda <mposolda at redhat.com> wrote:
>>
>> > On 22. 11. 19 10:36, Stian Thorgersen wrote:
>> >
>> > For "Device name" field. What about "Phone name" and prefilling it with
>> > the name of the phone? We have the UA parser thing right so can just use
>> > the value from that?
>> >
>> > Hmm, but UA parser is used for parsing requests sent to Keycloak server
>> > AFAIK? And in case of OTP, the phone doesn't send any requests and
>> doesn't
>> > directly communicate with Keycloak server. So not sure how UA parser
>> could
>> > help?
>> >
>> > Marek
>> >
>> >
>> > On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen <sthorger at redhat.com>
>> > wrote:
>> >
>> >> +1 "To try another way", but that should only be displayed if the user
>> is
>> >> requested to setup two-factor and there are more choices. If a user has
>> >> selected to enable OTP through the account console (AIA) it should not
>> be
>> >> displayed.
>> >>
>> >> On Thu, 21 Nov 2019 at 15:24, Marek Posolda <mposolda at redhat.com>
>> wrote:
>> >>
>> >>> On 21. 11. 19 12:02, Marek Posolda wrote:
>> >>> >
>> >>> > I want to ask some feedback about the screen for the "Setup TOTP" .
>> >>> > I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-12168 ,
>> >>> > which contains some screenshot of how currently the screen for the
>> >>> > required action for "Setup OTP" looks like. In other words, this is
>> >>> > displayed to the user at the end of the authentication when he has
>> >>> > "Setup TOTP" required action on him.
>> >>> >
>> >>> > Few questions:
>> >>> >
>> >>> >   * Is the "Device name" appropriate label? Would something like
>> >>> >     "Authenticator App Label" be better?
>> >>> >
>> >>> >   * Should it be more emphasized that "Authenticator App Label" is
>> not
>> >>> >     mandatory? IMO it is currently not very clear. Also there is
>> >>> >     nothing in the help-text about this input field. Maybe we can
>> add
>> >>> >     another sentence to point 3 like "Optionally provide
>> Authenticator
>> >>> >     App Label as a reference." I am not very happy with that
>> sentence.
>> >>> >     Any better ideas?
>> >>> >
>> >>> >   * Alternatively we can use separate screen for providing the
>> >>> >     "Authenticator App Label" . In other words, there will be just
>> >>> >     single input for OTP code and than once user clicks "Submit" and
>> >>> >     OTP code is successfully verified, there will be another screen
>> >>> >     where he can provide "Authenticator App Label" . It seems Google
>> >>> >     is using separate screen for providing labels when user register
>> >>> >     Security Key.
>> >>> >
>> >>> >   * Any better ideas?
>> >>> >
>> >>> >   * We can possibly improve the old account console in similar
>> manner.
>> >>> >     Currently it looks like in screenshot
>> setup-otp-account-mgmt.png .
>> >>> >     Maybe we can at least change the label for "Device name" and
>> also
>> >>> >     add another sentence to the help text?
>> >>> >
>> >>> One more point: At the bottom of the page for register TOTP, we
>> possibly
>> >>> need the link "Try another way" or something like that. This link will
>> >>> be displayed just if user is currently trying to "Register 2nd factor
>> >>> credential" because he is required to do so, and he has some more
>> >>> alternative credential types to register (EG. WebAuthn).
>> >>>
>> >>> Marek
>> >>>
>> >>> > Thanks,
>> >>> >
>> >>> > Marek
>> >>> >
>> >>>
>> >>> _______________________________________________
>> >>> keycloak-dev mailing list
>> >>> keycloak-dev at lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>>
>> >>>
>> >
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>

More information about the keycloak-dev mailing list