[Freeipa-devel] [PATCH] 659-666 Support of password reset with OTP
Endi Sukma Dewata
edewata at redhat.com
Wed Jun 25 17:41:06 UTC 2014
On 6/20/2014 10:18 AM, Petr Vobornik wrote:
> On 11.6.2014 15:19, Petr Vobornik wrote:
>> Patch set contains both API/server and Web UI parts.
>>
>> [PATCH] 659 ldap2: add otp support to modify_password
>> [PATCH] 660 rpcserver: add otp support to change_password handler
>> [PATCH] 661 ipa-passwd: add OTP support
>> [PATCH] 662 webui: support password change with OTP in login screen
>> [PATCH] 663 webui: placeholder attribute support in textbox and textarea
>> [PATCH] 664 webui: add placeholders to login screen
>> [PATCH] 665 webui: rebase user password dialog on password dialog and
>> add otp support
>> [PATCH] 666 webui: support otp in reset_password.html
>>
>> https://fedorahosted.org/freeipa/ticket/4262
>
> attaching rebased patches (mainly because of VERSION conflict)
ACK. Possible improvements (some of which are already discussed on IRC):
1. The "clock interval" field in the Add OTP Token dialog could be
disabled for HOTP.
2. The "clock interval" and "counter" fields (and probably some other
fields too) in the OTP Token details page could be hidden depending on
the token type.
3. The Add OTP Token dialog could provide more descriptive token types:
time-based or counter-based token instead of just TOTP or HOTP.
4. The OTP Token details page could show the token type (I suppose the
model may not be descriptive enough).
5. It would be nice to have a link/button to add OTP Token from the user
details page with the owner already set to the user.
6. The "clock interval" should have a unit of measurements (i.e. seconds).
7. When logging in with an expired password, the user will be asked to
reset a password and enter an OTP. Although OTP means one-time password,
some users could be confusing it with the OTP he/she just entered in the
previous page. It would be nicer to say "New OTP" or add an explanation
"Wait for a new OTP" to make sure the user enters a new OTP.
8. In the "User authentication types" field it might be better to say
"password + OTP" instead of just "otp". The checkbox value can remain "otp".
9. The "User authentication types" is a bit confusing because if none
are selected it doesn't mean that no authentication is allowed, but it
means it's unset and it will use the global setting. The UI probably
should provide a separate radio button to select "Use global setting" or
show the effective setting next to it.
10. The "Default user authentication types" in the global setting is a
bit confusing because by default nothing is selected but the actual
default is supposedly not empty.
11. Ideally the password reset page/dialog should indicate whether the
old password and the OTP are required based on the actual authentication
type available to the user.
12. Ideally there should be a way to display the QR code of an existing
OTP token.
13. The UI could also provide a link to download the OTP app or a list
of supported apps.
--
Endi S. Dewata
More information about the Freeipa-devel
mailing list