[Freeipa-devel] [PATCH] 659-666 Support of password reset with OTP

Endi Sukma Dewata edewata at redhat.com
Wed Jun 25 17:41:06 UTC 2014 

On 6/20/2014 10:18 AM, Petr Vobornik wrote:
> On 11.6.2014 15:19, Petr Vobornik wrote:
>> Patch set contains both API/server and Web UI parts.
>>
>> [PATCH] 659 ldap2: add otp support to modify_password
>> [PATCH] 660 rpcserver: add otp support to change_password handler
>> [PATCH] 661 ipa-passwd: add OTP support
>> [PATCH] 662 webui: support password change with OTP in login screen
>> [PATCH] 663 webui: placeholder attribute support in textbox and textarea
>> [PATCH] 664 webui: add placeholders to login screen
>> [PATCH] 665 webui: rebase user password dialog on password dialog and
>> add otp support
>> [PATCH] 666 webui: support otp in reset_password.html
>>
>> https://fedorahosted.org/freeipa/ticket/4262
>
> attaching rebased patches (mainly because of VERSION conflict)

ACK. Possible improvements (some of which are already discussed on IRC):

1. The "clock interval" field in the Add OTP Token dialog could be 
disabled for HOTP.

2. The "clock interval" and "counter" fields (and probably some other 
fields too) in the OTP Token details page could be hidden depending on 
the token type.

3. The Add OTP Token dialog could provide more descriptive token types: 
time-based or counter-based token instead of just TOTP or HOTP.

4. The OTP Token details page could show the token type (I suppose the 
model may not be descriptive enough).

5. It would be nice to have a link/button to add OTP Token from the user 
details page with the owner already set to the user.

6. The "clock interval" should have a unit of measurements (i.e. seconds).

7. When logging in with an expired password, the user will be asked to 
reset a password and enter an OTP. Although OTP means one-time password, 
some users could be confusing it with the OTP he/she just entered in the 
previous page. It would be nicer to say "New OTP" or add an explanation 
"Wait for a new OTP" to make sure the user enters a new OTP.

8. In the "User authentication types" field it might be better to say 
"password + OTP" instead of just "otp". The checkbox value can remain "otp".

9. The "User authentication types" is a bit confusing because if none 
are selected it doesn't mean that no authentication is allowed, but it 
means it's unset and it will use the global setting. The UI probably 
should provide a separate radio button to select "Use global setting" or 
show the effective setting next to it.

10. The "Default user authentication types" in the global setting is a 
bit confusing because by default nothing is selected but the actual 
default is supposedly not empty.

11. Ideally the password reset page/dialog should indicate whether the 
old password and the OTP are required based on the actual authentication 
type available to the user.

12. Ideally there should be a way to display the QR code of an existing 
OTP token.

13. The UI could also provide a link to download the OTP app or a list 
of supported apps.

-- 
Endi S. Dewata

More information about the Freeipa-devel mailing list