Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bigtent Issue#178 PIN proposal for short term fix
8 views
Skip to first unread message
Austin King
May 9, 2013, 6:03:36 PM5/9/13
to dev-id...@lists.mozilla.org
The BigTent group worked hard to come to a short term solution that was
acceptable to all of the leads (skinny UX, edwin QA, callahad Dev).
TL;DR; https://github.com/mozilla/browserid-bigtent/issues/216
This is *not* a perfect or long term solution.
Proposal
-------
1) Rework Copy throughout the flow
2) ID Mismatch screen will present a PIN code entry screen and instruct
the user to check their email
3) Email copy will include a PIN code
4) BigTent will set a secure cookie which includes the PIN code value
5) Entering the pin will be validated server side
6) Successful PIN entry would complete the authentication flow
PIN secure cookie will expire after a configurable time period, such as
1 hour.
New copy may include a more info or link to a Sumo article (edwin and
skinny's ideas).
Credit to callahad for coming up with the PIN idea, which builds on
fmarier's original proposal.
Benefits
-------
* PIN unblocks Yahoo Alias as well as white label web mail users
* PIN solves a user starting in Browser A and finishing in Browser B
* Shoulder surfing a PIN doesn't give an attacker any capabilities, they
must have the cookie
* Works across devices
Known Limitations
----------------
* Issue 201: BigTent has no database, which constrained the solution space
* If a user closes the sigin in dialog, they must restart the auth flow
* User will have to go through PIN dance again after expiration period
Next Steps
---------
* Work will be tracked from
https://github.com/mozilla/browserid-bigtent/issues/216
* skinny to create final copy
* ozten to file bugs
acceptable to all of the leads (skinny UX, edwin QA, callahad Dev).
TL;DR; https://github.com/mozilla/browserid-bigtent/issues/216
This is *not* a perfect or long term solution.
Proposal
-------
1) Rework Copy throughout the flow
2) ID Mismatch screen will present a PIN code entry screen and instruct
the user to check their email
3) Email copy will include a PIN code
4) BigTent will set a secure cookie which includes the PIN code value
5) Entering the pin will be validated server side
6) Successful PIN entry would complete the authentication flow
PIN secure cookie will expire after a configurable time period, such as
1 hour.
New copy may include a more info or link to a Sumo article (edwin and
skinny's ideas).
Credit to callahad for coming up with the PIN idea, which builds on
fmarier's original proposal.
Benefits
-------
* PIN unblocks Yahoo Alias as well as white label web mail users
* PIN solves a user starting in Browser A and finishing in Browser B
* Shoulder surfing a PIN doesn't give an attacker any capabilities, they
must have the cookie
* Works across devices
Known Limitations
----------------
* Issue 201: BigTent has no database, which constrained the solution space
* If a user closes the sigin in dialog, they must restart the auth flow
* User will have to go through PIN dance again after expiration period
Next Steps
---------
* Work will be tracked from
https://github.com/mozilla/browserid-bigtent/issues/216
* skinny to create final copy
* ozten to file bugs
James Bonacci
May 12, 2013, 7:16:29 PM5/12/13
to Austin King, dev-id...@lists.mozilla.org
Thanks to the entire BigTent team for all the hard work this past week.
_______________________________________________
dev-identity mailing list
dev-id...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-identity
dev-identity mailing list
dev-id...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-identity
0 new messages