Domain confirmation prompt


Status
Not open for further replies.

Dave

Well-known member
May 19, 2018
462
97
Gardner, MA
Daniel,

Is it intentional that this prompt only appears when the quick pass is active? Or should this be shown on first scan as well?

409

Dave
 

shanedk

Well-known member
May 20, 2018
408
107
I don't know what Daniel has done, but the domain confirmation should show up on EVERY login attempt. The domain name itself should also be MUCH more prominent!
 

Vela Nanashi

Well-known member
May 19, 2018
706
121
Yeah should be on everything, could the domain be separated by an empty line from Login, and maybe scale it to be bigger when it is not super long? Not sure how easy that would be to do though.
 

ahauser

Well-known member
Feb 22, 2019
203
55
What @Dave 's screenshot is showing is the device's biotmetric login prompt.
The biometric login (via face or fingerprint etc.) is indeed only possible when QuickPass is active, this is by design!

Below on the left, you'll see the default login prompt (when QuickPass is not active). Here, we have full control over the design.

Whereas the biometric login prompt is device-specific, and we don't have full control over the layout. We can only supply a title, a subtitle and a description text, and the system is responsible for building the layout of the biometric prompt.

On the right, you can see how the fingerprint login looks on my OnePlus 5T:

413


Hope this helps clear up some confusion.

//EDIT:
One thing we COULD do to make the domain stand our more is to switch the domain to the "title" and have something like "Please verify the the domain above before logging in" or something similar as the subtitle.
 
  • Like
Reactions: ekelling

shanedk

Well-known member
May 20, 2018
408
107
It's also showing the normal prompt in the background, dimmed. I'm seeing it that way too on my Pixel 2 XL. So just making it big and bold, and especially a bright color like red or orange, would still make it stand out.
 

sengsational

Well-known member
Feb 17, 2019
115
36
As long as we're talking about altering the look of the domain, I'm wondering what font those wise sages that have been studying spoofing for a long time would recommend.

The Android platform provides lots of "stuff" with respect to how wide a string would be if represented in various fonts. It's not necessarily easy to get it right, but there is a ton of functionality.

I like the idea of putting the domain in the top of the biometric prompt. And under the domain we should have something simple and obvious like:

" is this really where you want to log in?"
 

Vela Nanashi

Well-known member
May 19, 2018
706
121
Actually that is not the important thing "does this url match the one in the browser you want to log into" or something clearer since you may be wanting to log into amazon.com, but the url is actually amaz0n.com (or you know some more clever look alike that actually looks alike), so in that case the client would display amazon.com while the spoofed site url would be amaz0n.com, and it is only the user that can detect that. Of course me saying this is a waste of words, since we all know that already, but it needs to be made clear to the user of the client, that they need to use their eyeballs to verify that. It really does not matter if you are asked to log into amaz0n.com in the client though, it can't be used to impersonate you to amazon.com, so the font in the client is less important than the one the browser uses, sadly.
 

sengsational

Well-known member
Feb 17, 2019
115
36
Maybe we could make an animation, like a slot machine, where the letters would spin, momentarily replacing "o" with "0" and "l" with "i", and then after a second, it settles on the domain from the QR code, hehe! That way we'd call attention to what we'd like the user to be paying attention to.
 
  • Haha
Reactions: Dave

Vela Nanashi

Well-known member
May 19, 2018
706
121
Maybe offer an intro panel in the app that explains some things, with animations, maybe video. But anything like that needs to have a "I know what I am doing stop wasting my time" option :) but new users hopefully would look through it, and then should be able to call back that intro whenever they want, and also there might be help buttons added to places that explain the key concept they need to understand on that page. That is however a lot of work to put in, and needs to be done by someone who writes/speaks normal person language, not this lousy facsimile I write/speak.
 

Dave

Well-known member
May 19, 2018
462
97
Gardner, MA
Hi @Vela Nanashi

I thought the video I did as a promo for the application explained this a little. Maybe I can do this even more clear with small informational videos in the application.


Best regards
Daniel
Really nice job!

One thing you might want to mention is that the forum also supports old fashioned login ID and password, so they don't think they need to have SQRL working to get into the forum to ask for help to get SQRL working. :)
 

shanedk

Well-known member
May 20, 2018
408
107
As long as we're talking about altering the look of the domain, I'm wondering what font those wise sages that have been studying spoofing for a long time would recommend.
It should be something with no ambiguous characters like Fira Code.
 

Vela Nanashi

Well-known member
May 19, 2018
706
121
(oops I forgot to click post reply before I hit bed...)

Yeah I think that is a great idea @kalaspuffar :) Not sure how compactly one can get them down into (if they are to be delivered with the app), but there could always be a link to the actual youtube channel/playlist with tutorials too or specific topic videos, to go along with some text based help (for the bandwidth impaired, and to keep the app tight) :) Also maybe two versions of the app (a light one with video on demand only, and the heavy version with videos included perhaps? Or some smart caching mechanism, I dunno, I am not an android coder so I don't know what the rules, capabilities and limitations and all that is for apps)
 
Status
Not open for further replies.