[keycloak-dev] Single Page to manage credentials

Václav Muzikář vmuzikar at redhat.com
Tue Nov 26 05:38:20 EST 2019 

On Mon, Nov 25, 2019 at 10:16 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> Good afternoon,
>
> Stan started the work here[1] to provide a single page to manage
> credentials based on the New Account console feedback[2], you can have
> an idea about how it looks like based on this screenshoot[3]. Please
> keep in mind that this is a WIP.
>
> Based on the mock-up[2] provided in the same document, there are some
> items that we need to clarify to move forward.
>
> 1. Is this a toggle switch like (ON/OFF) for "Two-factor authentication"
> or just informative to show that 2FA is turned on? If that's a toggle
> should we handle this with AIA, by asking the user to re-authenticate?
> Today, we don't do this.
>
I'm not sure this switch makes much sense. What should it do? Remove all
two-factor authenticators? In that case, shouldn't it be a button? Or
should we add support for disabling an authenticator (which wouldn't remove
it)?
Also, can we actually have more than one 2FA? If there can be only one
authenticator at a time, user can just click the Remove button next to it.

One more question which is a bit off topic. :) Wouldn't it make more sense
to combine the Password section with 2FA? I mean, 2FA cannot exist without
Password (now I mean the "legacy" 2FA – OTP – not passwordless credentials).


>
> 2. Mobile Authenticator - Hamburger menu with actions like
> delete/update. IMO does not make sense to provide "update" as one of the
> actions. Maybe delete and view to display all the devices enrolled.
>
+1, no need for hamburger menu.


>
> 3. Backup codes. Are we going to provide this? I'd say no, but it's
> better to confirm.
>
> 4. Additional two-factor authenticators. At the moment we don't have any
> way to use SMS, so I assume we're going to remove this. It seems to me
> that the Web Authentication section overlaps with the "Passwordless"
> section, but I can be wrong.  Maybe we should choose which one we would
> like to keep to avoid confusion?
>
> 5. Passwordless section. Is the ON/OFF informative or a toggle switch
> between both states?
>
Does it make sense to have ON/OFF switch at all? In case a user wants to
disable it, I think more straightforward is just to remove the
authenticator.


>
> 6. Passwordless/Web Authentication. As I mentioned before, it seems to
> me as an overlap. But I can be wrong.
>
> Another thing that I was thinking for "Web Authentication" is to show an
> hamburger menu with (Set up/View/Remove) instead of just "Set up".
>
> Any thoughts?
>
> [1] - https://github.com/keycloak/keycloak/pull/6516
> [2] - https://i.imgur.com/UWn3mch.png
> [3] - https://i.imgur.com/1RKwx4A.png
>
> --
>
> abstractj
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

-- 
Václav Muzikář
Senior Quality Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.

More information about the keycloak-dev mailing list