2014-09-06 19:02:40 |
James Hunt |
bug |
|
|
added bug |
2014-09-06 19:08:03 |
James Hunt |
description |
As a result of bug 1347010 the terminal app now requests authorization.
However after the terminal has loaded the user is prompted with a popup which states (verbatim):
Authentication required.
Enter password
This looks somewhat alarming even if you do have legitimate use of the phone.
Authentication required to access *terminal app* (since this application can make significant changes to your phone).
Please re-enter your pin.
Improvements over current dialog:
1) The application that is requesting authentication is specified. This atleast allays the users fears that it might be some sort of trojan attempting to steal their password.
2) A justification is provided to explain why the user needs to re-auth.
3) Prompt confirms that the user is being asked to re-authorise.
4) Prompt specifies correct auth type (pin rather than password).
Also, I wonder if this might be one of a potential class of apps which need this extra line of protection. If so, should the re-auth request be made before the app is actually launched to reduce the attack surface further? |
As a result of bug 1347010 the terminal app now requests authorization.
However after the terminal has loaded the user is prompted with a popup which states (verbatim):
Authentication required.
Enter password
This looks somewhat alarming even if you do have legitimate use of the phone. How about the following as a possible improvement:
Authentication required to access *terminal app*
(since this application can make significant changes to your phone).
Please re-enter your pin.
Improvements over current dialog:
1) The application that is requesting authentication is specified. This atleast allays the users fears that it might be some sort of trojan attempting to steal their password.
2) A justification is provided to explain why the user needs to re-auth.
3) Prompt confirms that the user is being asked to re-authorise.
4) Prompt specifies correct auth type (pin rather than password).
Also, I wonder if this might be one of a potential class of apps which need this extra line of protection. If so, should the re-auth request be made before the app is actually launched to reduce the attack surface further? |
|
2014-09-06 19:09:54 |
James Hunt |
description |
As a result of bug 1347010 the terminal app now requests authorization.
However after the terminal has loaded the user is prompted with a popup which states (verbatim):
Authentication required.
Enter password
This looks somewhat alarming even if you do have legitimate use of the phone. How about the following as a possible improvement:
Authentication required to access *terminal app*
(since this application can make significant changes to your phone).
Please re-enter your pin.
Improvements over current dialog:
1) The application that is requesting authentication is specified. This atleast allays the users fears that it might be some sort of trojan attempting to steal their password.
2) A justification is provided to explain why the user needs to re-auth.
3) Prompt confirms that the user is being asked to re-authorise.
4) Prompt specifies correct auth type (pin rather than password).
Also, I wonder if this might be one of a potential class of apps which need this extra line of protection. If so, should the re-auth request be made before the app is actually launched to reduce the attack surface further? |
As a result of bug 1347010 the terminal app now requests authorization.
However after the terminal has loaded the user is prompted with a popup which states (verbatim):
Authentication required.
Enter password
This looks somewhat alarming even if you do have legitimate use of the phone. How about the following as a possible improvement:
Authentication required to access *terminal app*
(since this application can make significant changes to your phone).
Please re-enter your [password|pin].
Improvements over current dialog:
1) The application that is requesting authentication is specified. This atleast allays the users fears that it might be some sort of trojan attempting to steal their password.
2) A justification is provided to explain why the user needs to re-auth.
3) Prompt confirms that the user is being asked to re-authorise.
4) Prompt specifies correct auth type (pin rather than password).
Also, I wonder if this might be one of a potential class of apps which need this extra line of protection. If so, should the re-auth request be made before the app is actually launched to reduce the attack surface further?
In fact, maybe the existing auth screen should just be redisplayed with a message at the top specifying which app is requesting a re-auth and why? |
|
2014-12-08 11:28:57 |
Alan Pope 🍺🐧🐱 🦄 |
ubuntu-terminal-app: status |
New |
Confirmed |
|
2014-12-08 11:29:02 |
Alan Pope 🍺🐧🐱 🦄 |
ubuntu-terminal-app: importance |
Undecided |
Medium |
|