[keycloak-dev] Usability: Improve screen for setup TOTP
Marek Posolda
mposolda at redhat.com
Fri Nov 22 09:09:49 EST 2019
On 22. 11. 19 12:40, Stian Thorgersen wrote:
>
>
> On Fri, 22 Nov 2019 at 12:37, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> On 22. 11. 19 12:13, Jan Lieskovsky wrote:
>>
>>
>> On Fri, Nov 22, 2019 at 11:37 AM Stian Thorgersen
>> <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>>
>> Auto-generated labels like "Phone 1", etc. just looks stupid.
>> I would
>> rather make the label optional for the first one, but
>> mandatory for the
>> second one.
>>
>>
>> I like this approach. Should we use some base / template name for
>> the first one,
>> something like "Default one-time token", rather than just allow
>> blank name?
> Yes, so if "device name" will be optional (or even not present)
> for the first OTP, and we don't want to auto-generate anything,
> then we can always end in situations when some of the OTP doesn't
> have label. Then during authentication, display nothing or display
> UUID seems to be even more stupid than display something
> auto-generated like "Phone 1" IMO :) So question is what to
> display? Not sure that "Default" works, as the OTP without label
> doesn't necessarily be the default one... Right now, I can't come
> with anything better than "Phone 1" TBH... ;)
>
>
> I'm assuming you are now talking about the login otp form. In that I
> think it should just say "Unnamed" in grey.
Ok, that works. Thanks
Marek
>>
>> A second one can only be added through the account console
>> anyways and the users can then add a label to the first one
>> if they didn't
>> already do it.
>>
>>
>> Then can add or should be required to add?
> Yes, it will be nice if we can "force" user to add label to first
> OTP after he registers second OTP. But I doubt it will be possible
> to do it in nice and friendly way...
>
>
> I don't see a need for that - the user is in the account console and
> can see the unnamed OTP and can easily rename it from there.
>
>>
>> For OTP I would consider not asking for a label for the
>> first one. For WebAuthn I would always ask for one. By the
>> way doesn't the
>> WebAuthn registration include details about the device? Can't
>> the device
>> name from that be used as the label?
>>
>>
>> It's possible. If (re)-using this information, should we ask the
>> user for approval to be
>> able to use it? (not to possibly leak something, they wouldn't
>> want to be used) Or just use it?
>
> I think it's not reliably possible to retrieve details about
> device from the WebAuthn registration. At least in a way that
> device info is possible to use as a label. CCing Takashi
> Norimatsu, who can possibly confirm. I agree that label should be
> mandatory during WebAuthn registration and it is how it works
> today. Also Google works this way and requires some label to be
> added AFAIK.
>
> Marek
>
>>
>> and you are right. UA parser doesn't help as most will
>> probably register
>> from their desktop, not the phone, so would be the wrong
>> device name.
>>
>> Device name or Phone name, either works to be honest. I'd say
>> Phone is
>> better as 99% will use an app on a phone, not on the desktop,
>> but okay with
>> Device name as well.
>>
>> In the new account console it shouldn't display "Device
>> name", but rather
>> just have it as a label next to the credential-name, and it
>> should use
>> something like cards, not tables. So would be something like:
>>
>> -------------------------------------------------------
>> Authenticator app [Samsung] [default]
>> -------------------------------------------------------
>> Authenticator app [My tablet]
>> -------------------------------------------------------
>> Security key [YubiCo]
>> -------------------------------------------------------
>>
>>
>> Similar here, if we are able somehow to extract the information
>> in the square brackets
>> from the underlying device automagically, should we ask the user
>> for the approval to use it?
>> (since it would be displayed on the following auth screens later)
>>
>>
>>
>>
>> On Fri, 22 Nov 2019 at 10:56, Marek Posolda
>> <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>> > On 22. 11. 19 10:36, Stian Thorgersen wrote:
>> >
>> > For "Device name" field. What about "Phone name" and
>> prefilling it with
>> > the name of the phone? We have the UA parser thing right so
>> can just use
>> > the value from that?
>> >
>> > Hmm, but UA parser is used for parsing requests sent to
>> Keycloak server
>> > AFAIK? And in case of OTP, the phone doesn't send any
>> requests and doesn't
>> > directly communicate with Keycloak server. So not sure how
>> UA parser could
>> > help?
>> >
>> > Marek
>> >
>> >
>> > On Fri, 22 Nov 2019 at 10:34, Stian Thorgersen
>> <sthorger at redhat.com <mailto:sthorger at redhat.com>>
>> > wrote:
>> >
>> >> +1 "To try another way", but that should only be displayed
>> if the user is
>> >> requested to setup two-factor and there are more choices.
>> If a user has
>> >> selected to enable OTP through the account console (AIA)
>> it should not be
>> >> displayed.
>> >>
>> >> On Thu, 21 Nov 2019 at 15:24, Marek Posolda
>> <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>> >>
>> >>> On 21. 11. 19 12:02, Marek Posolda wrote:
>> >>> >
>> >>> > I want to ask some feedback about the screen for the
>> "Setup TOTP" .
>> >>> > I've created JIRA
>> https://issues.jboss.org/browse/KEYCLOAK-12168 ,
>> >>> > which contains some screenshot of how currently the
>> screen for the
>> >>> > required action for "Setup OTP" looks like. In other
>> words, this is
>> >>> > displayed to the user at the end of the authentication
>> when he has
>> >>> > "Setup TOTP" required action on him.
>> >>> >
>> >>> > Few questions:
>> >>> >
>> >>> > * Is the "Device name" appropriate label? Would
>> something like
>> >>> > "Authenticator App Label" be better?
>> >>> >
>> >>> > * Should it be more emphasized that "Authenticator
>> App Label" is not
>> >>> > mandatory? IMO it is currently not very clear. Also
>> there is
>> >>> > nothing in the help-text about this input field.
>> Maybe we can add
>> >>> > another sentence to point 3 like "Optionally
>> provide Authenticator
>> >>> > App Label as a reference." I am not very happy with
>> that sentence.
>> >>> > Any better ideas?
>> >>> >
>> >>> > * Alternatively we can use separate screen for
>> providing the
>> >>> > "Authenticator App Label" . In other words, there
>> will be just
>> >>> > single input for OTP code and than once user clicks
>> "Submit" and
>> >>> > OTP code is successfully verified, there will be
>> another screen
>> >>> > where he can provide "Authenticator App Label" . It
>> seems Google
>> >>> > is using separate screen for providing labels when
>> user register
>> >>> > Security Key.
>> >>> >
>> >>> > * Any better ideas?
>> >>> >
>> >>> > * We can possibly improve the old account console in
>> similar manner.
>> >>> > Currently it looks like in screenshot
>> setup-otp-account-mgmt.png .
>> >>> > Maybe we can at least change the label for "Device
>> name" and also
>> >>> > add another sentence to the help text?
>> >>> >
>> >>> One more point: At the bottom of the page for register
>> TOTP, we possibly
>> >>> need the link "Try another way" or something like that.
>> This link will
>> >>> be displayed just if user is currently trying to
>> "Register 2nd factor
>> >>> credential" because he is required to do so, and he has
>> some more
>> >>> alternative credential types to register (EG. WebAuthn).
>> >>>
>> >>> Marek
>> >>>
>> >>> > Thanks,
>> >>> >
>> >>> > Marek
>> >>> >
>> >>>
>> >>> _______________________________________________
>> >>> keycloak-dev mailing list
>> >>> keycloak-dev at lists.jboss.org
>> <mailto:keycloak-dev at lists.jboss.org>
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>>
>> >>>
>> >
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
More information about the keycloak-dev
mailing list