Yubico Forum

Cached OTPs in login form
Page 1 of 1

Author:  jimbostyx [ Tue Jun 10, 2008 7:00 am ]
Post subject:  Cached OTPs in login form

On the login form of the server, the input type is specified as "yubikey". Is it necessary to use this instead of "password"? Apart from being non-standard, it also gives you a long, ugly list of OTPs in your browser.

Author:  paul [ Tue Jun 10, 2008 8:08 am ]
Post subject:  Re: Cached OTPs in login form

Yes we need to improve the aesthetics in that part.

IMHO a YubiKey is like an ATM card:

[1] Insert it to the ATM or a service provider, it validates the token, knows who you are by linking the device ID to a user.

[2] Then ask for your PIN

The experience should be just like ATM to avoid any learning curves. But we are not doing it now since
Yubico's web designer just left Yubico for a "real" artistic design job.

Author:  Simon [ Tue Jun 10, 2008 9:20 am ]
Post subject:  Re: Cached OTPs in login form

The input type should not be 'yubikey', that would be an HTML error. Here are the tricks I've used for the demo server:

1) Auto-focus. Label the form, and use this:
<body onLoad="document.login.key.focus();">

2) Autocomplete off. Passwords are typically remembered by the browser, which we don't want. Add autocomplete=off to the input field.

I think there was a third item to keep in mind, but I can't recall it now...

Thus, the State of The Art Yubico-Compliant HTML input from page will look something like:

 <body onLoad="document.login.key.focus();">
  <form name="login">
   <input  autocomplete="off" type="password" name="yubikey">
   <input type=submit>

Of course, the auto-focus may not always be applicable. On the forum, I think it would interfere with the forum auto-focus design.

Hope this helps.


Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group