Codeberg/Documentation
42
199
Fork
You've already forked Documentation
161

Using Security keys on Codeberg #367

Merged
n0toose merged 9 commits from YellowComet/Documentation:2fa-webauthn into main 2023年11月28日 21:57:41 +01:00
Contributor
Copy link

This PR adds docs on WebAuthn usage on Codeberg. It attempts to cover (1) using WebAuthn as a 2FA option on web logins and (2) using FIDO2 over SSH using the OpenSSH client.

This PR adds docs on WebAuthn usage on Codeberg. It attempts to cover (1) using WebAuthn as a 2FA option on web logins and (2) using FIDO2 over SSH using the OpenSSH client.
Add some docs on WebAuthn usage.
YellowComet changed title from (削除) WIP: WebAuthn (削除ここまで) to WebAuthn 2023年11月05日 14:06:33 +01:00
n0toose left a comment
Copy link

Hi, first of all, thank you for your pull request. The change is pretty straightforward and I'm all up for it, but what I would describe as a blocker is the alt text. I have one concern which should not be that hard to fix, but I'll explain it in detail so as to be helpful - I hope that this won't scare you off :D

If you need any help, please feel free to reach out :)

Hi, first of all, thank you for your pull request. The change is pretty straightforward and I'm all up for it, but what I would describe as a blocker is the alt text. I have one concern which should not be that hard to fix, but I'll explain it in detail so as to be helpful - I hope that this won't scare you off :D If you need any help, please feel free to reach out :)
@ -68,0 +84,4 @@
<picture>
<source srcset="/assets/images/security/webauthn-nick.webp" type="image/webp">
<img src="/assets/images/security/webauthn-nick.png" alt="WebAuthn key nickname input">
Owner
Copy link

Using the text itself (and not seeing the picture) does not help me figure out what I'm supposed to be seeing. You say that the user should go to "User Settings", but when I open up the settings, there's no section that says "User Settings" - there's this section instead: https://codeberg.org/user/settings/keys

My tip would be to explain everything as if the reader is five years old or not very technically competent to work around the UI. These, of course, are not very reasonable assumptions to make, but such a hold-me-by-the-hand writing style helps you become descriptive enough so that a blind person or a person that is, say, on 2 hours of sleep and running solely on caffeine, could work with that. Plus, you might avoid situations where a user would accidentally land on https://codeberg.org/user/settings/keys (as I did during the review :D).


I would enter some text telling people where to look for - along the lines of "Go to Settings and then head to the Security section", and then change the alt text to something like "Screenshot of the SSH / GPG Keys section" - holding the reader by the hand may seem redundant, but it would help both blind and non-blind users.

Same goes for Step 2. "Give your key a name" is a bit too ambiguous, you could say something like "In the Security settings, you should be able to find the "Security Keys" section, where you can add your key. First, give your name..."

Using the text itself (and not seeing the picture) does not help me figure out what I'm supposed to be seeing. You say that the user should go to "User Settings", but when I open up the settings, there's no section that says "User Settings" - there's this section instead: https://codeberg.org/user/settings/keys My tip would be to explain everything as if the reader is five years old or not very technically competent to work around the UI. These, of course, are not very reasonable assumptions to make, but such a hold-me-by-the-hand writing style helps you become descriptive enough so that a blind person or a person that is, say, on 2 hours of sleep and running solely on caffeine, could work with that. Plus, you might avoid situations where a user would accidentally land on https://codeberg.org/user/settings/keys (as I did during the review :D). --- I would enter some text telling people where to look for - along the lines of "Go to Settings and then head to the [Security section](https://codeberg.org/user/settings/security)", and then change the alt text to something like "Screenshot of the SSH / GPG Keys section" - holding the reader by the hand may seem redundant, but it would help both blind and non-blind users. Same goes for Step 2. "Give your key a name" is a bit too ambiguous, you could say something like "In the Security settings, you should be able to find the "Security Keys" section, where you can add your key. First, give your name..."
Author
Contributor
Copy link

Hmm, so:

  1. Introduce a step between one and two indicating that you should go to the security settings, with an image similar to the one used for TOTP (df95d70243/assets/images/security/2fa/security-settings.png)
  2. Change the alt text to "screenshot of the Security Keys section", maybe? I'm not a screen reader user, so I don't know what the appropriate alt text would be.
  3. Add some text on the currently step two guiding the user towards the Security Keys section of the Security tab.

Did I get that right?

Hmm, so: 1. Introduce a step between one and two indicating that you should go to the security settings, with an image similar to the one used for TOTP (https://codeberg.org/Codeberg/Documentation/src/commit/df95d702437d0d69501e4684d06445dd754cdf74/assets/images/security/2fa/security-settings.png) 2. Change the alt text to "screenshot of the Security Keys section", maybe? I'm not a screen reader user, so I don't know what the appropriate alt text would be. 3. Add some text on the currently step two guiding the user towards the Security Keys section of the Security tab. Did I get that right?
Owner
Copy link

I'm not a screen reader user, so I don't know what the appropriate alt text would be.

Introduce a step between one and two indicating that you should go to the security settings, with an image similar to the one used for TOTP

Change the alt text to "screenshot of the Security Keys section", maybe? I'm not a screen reader user, so I don't know what the appropriate alt text would be.

TL;DR: You are on the right path, but use text first, then add the image. The solution is more free text holding the user by the hand.

What I'm looking to see: Just, "Go to Settings, and then click on Security over at the bar on the left side of your screen" (the wording isn't exact - some other document may prove to be more helpful). You could make this easier for the reader (and maybe get away with not mentioning where exactly, i.e. left menu bar, they have to click) by adding a direct link to "Security", and then telling the user what they have to look for in that page. If you reach that point, changing the alt text (as described in 2.) should be OK.


Additional details about why I feel like this could be improved (feel free to ignore): The problem isn't 100% the alt text itself, it's that, put simply, you're relying on an image in order to send a specific message (that I'll refer to as "providing context") to the reader. This is not wrong, pictures are helpful for assisting a user. But there is a problem with the execution:

  • The context you're trying to provide is lacking. As I understand it, the purpose of using that image is supposed to help the user verify that they are looking at the right thing, but doesn't describe how the user is supposed to get there. It helps users compare the actual Settings page and with the picture - that's its intended purpose.
  • Read the Markdown file without the picture - try simulating "blindness". Does the picture (and its alt text attribute) help you make that comparison now?

Excellent alt text would mention details like the title, that there is an input box for inserting something, and a big button at the bottom right of the image - but as long as you do not solely rely on that picture to convey what you need to convey, this is not necessary.

My definition of blind does not include people that always have to rely on screen readers, but it also includes users of, say, hypothetical internet connections that are super weak. When I review a change, I deliberately just look at the "Files Changed" and just read the Markdown file as a text first and foremost. That's where I'm coming from, it may help you see what I'm talking about.

> I'm not a screen reader user, so I don't know what the appropriate alt text would be. > Introduce a step between one and two indicating that you should go to the security settings, with an image similar to the one used for TOTP > Change the alt text to "screenshot of the Security Keys section", maybe? I'm not a screen reader user, so I don't know what the appropriate alt text would be. **TL;DR:** You are on the right path, but use *text* first, ***then*** add the image. The solution is more free text holding the user by the hand. **What I'm looking to see:** Just, "Go to Settings, and then click on Security over at the bar on the left side of your screen" (the wording isn't exact - some other document may prove to be more helpful). You could make this easier for the reader (and maybe get away with not mentioning where exactly, i.e. left menu bar, they have to click) by adding a direct link to "Security", and then telling the user what they have to look for in that page. If you reach that point, changing the alt text (as described in `2.`) should be OK. --- **Additional details about why I feel like this could be improved (feel free to ignore):** The problem isn't 100% the alt text itself, it's that, put simply, you're relying on an image in order to send a specific message (that I'll refer to as "providing context") to the reader. This is not wrong, pictures are helpful for assisting a user. But there is a problem with the execution: - The context you're trying to provide is lacking. As I understand it, the purpose of using that image is supposed to help the user verify that they are looking at the right thing, but doesn't describe how the user is supposed to get there. It helps users compare the actual Settings page and with the picture - that's its intended purpose. - Read the Markdown file without the picture - try simulating "blindness". Does the picture (and its alt text attribute) help you make that comparison now? Excellent alt text would mention details like the title, that there is an input box for inserting something, and a big button at the bottom right of the image - but as long as you do not solely rely on that picture to convey what you need to convey, this is not necessary. My definition of blind does not include people that *always* have to rely on screen readers, but it also includes users of, say, hypothetical internet connections that are super weak. When I review a change, I deliberately just look at the "Files Changed" and just read the Markdown file as a text first and foremost. That's where I'm coming from, it may help you see what I'm talking about.
Owner
Copy link

Hi, I am afraid that I may have accidentally scared you away by leaving such a large response (with good intentions, I'm working on improving explaining my own perspective with less words) or that I may have accidentally given you the impression that I am requesting a lot.

Either way, I'd like to help with bringing this in a merge-able state while respecting the fact that you are also doing this in your free time. You can contact me if you want to request some opinion from me in real time (for reasons of speed) or if you want me to take over.

Hi, I am afraid that I may have accidentally scared you away by leaving such a large response (with good intentions, I'm working on improving explaining my own perspective with less words) or that I may have accidentally given you the impression that I am requesting a lot. Either way, I'd like to help with bringing this in a merge-able state while respecting the fact that you are also doing this in your free time. You can contact me if you want to request some opinion from me in real time (for reasons of speed) or if you want me to take over.
Author
Contributor
Copy link

Hi, I am afraid that I may have accidentally scared you away by leaving such a large response (with good intentions, I'm working on improving explaining my own perspective with less words) or that I may have accidentally given you the impression that I am requesting a lot.

Don't worry, you did not :). I've just been busy lately, IRL stuff taking me away from the computer and all that.

Either way, I'd like to help with bringing this in a merge-able state while respecting the fact that you are also doing this in your free time. You can contact me if you want to request some opinion from me in real time (for reasons of speed) or if you want me to take over.

I'll be sure to let you know if I need help with this, thanks!

> Hi, I am afraid that I may have accidentally scared you away by leaving such a large response (with good intentions, I'm working on improving explaining my own perspective with less words) or that I may have accidentally given you the impression that I am requesting a lot. Don't worry, you did not :). I've just been busy lately, IRL stuff taking me away from the computer and all that. > Either way, I'd like to help with bringing this in a merge-able state while respecting the fact that you are also doing this in your free time. You can contact me if you want to request some opinion from me in real time (for reasons of speed) or if you want me to take over. I'll be sure to let you know if I need help with this, thanks!
Author
Contributor
Copy link

@n0toose Please see 1080442353 and let me know what you think.

@n0toose Please see 1080442353 and let me know what you think.
n0toose marked this conversation as resolved
@ -68,0 +95,4 @@
WebAuthn is now configured for your account! Now, when you sign in, you'll be given a choice between using TOTP or WebAuthn.
(Tip: You can very likely use your WebAuthn security key in SSH as well, learn more about this on (Adding an SSH key to your account)[/security/ssh-key]).
Owner
Copy link

Our Style Guide also suggests using admonition boxes. This hasn't been applied to past changes retroactively, but we prefer them for new changes.

If you are not sure how to use admonition boxes, I'm leaving this change as an example: #355/files

Our [Style Guide](https://docs.codeberg.org/improving-documentation/style-guide/) also suggests using admonition boxes. This hasn't been applied to past changes retroactively, but we prefer them for new changes. If you are not sure how to use admonition boxes, I'm leaving this change as an example: https://codeberg.org/Codeberg/Documentation/pulls/355/files
Author
Contributor
Copy link

Done in d8bc110

Done in d8bc110
Owner
Copy link

Thank you!

Thank you!
n0toose marked this conversation as resolved
Linux is not the only OS where OpenSSH runs
Based on feedback from n0toose , see #367 (comment) 
n0toose left a comment
Copy link

We're getting there, here are a few minor comments and the change will be good to go!

We're getting there, here are a few minor comments and the change will be good to go!
@ -68,0 +77,4 @@
<picture>
<source srcset="/assets/images/security/user-settings.webp" type="image/webp">
<img src="/assets/images/security/user-settings.png" alt="User Settings">
Owner
Copy link

tiny nitpick: capitalize "User Settings", maybe add hyperlink to user settings (low priority

tiny nitpick: capitalize "User Settings", maybe add hyperlink to user settings (low priority
Author
Contributor
Copy link

This section is a copypaste from the TOTP section 1 above. If you want to have this link to https://codeberg.org/user/settings should I also add this change to the TOTP section?

This section is a copypaste from the TOTP section 1 above. If you want to have this link to https://codeberg.org/user/settings should I also add this change to the TOTP section?
Owner
Copy link

Yep, both places would be great. First method would be better, and would circumvent the need of having to be overly descriptive when the user can just "click on the picture" and see it for themselves.

Yep, both places would be great. First method would be better, and would circumvent the need of having to be overly descriptive when the user can just "click on the picture" and see it for themselves.
Owner
Copy link

I will add more explicit Style Guide instructions and check where I can fix similar instances of this in a bit - I apologize for the yak shaving. Even though you wisely chose to compare against "what others did before you" in order to make your change as compatible as possible, unfortunately, not all written documentation adheres to the Style Guide very well.

I'm trying to strike some sort of a balance between not "punishing you" for doing that to the detriment of not following the "Style Guide" by the word myself (with the hopes of being able to clean up some formatting issues during a clean-up), as well as trying to address some minor fixes that could make further iterative fixes easier.

I will add more explicit Style Guide instructions and check where I can fix similar instances of this in a bit - I apologize for the yak shaving. Even though you wisely chose to compare against "what others did before you" in order to make your change as compatible as possible, unfortunately, not all written documentation adheres to the Style Guide very well. I'm trying to strike some sort of a balance between not "punishing you" for doing that to the detriment of not following the "Style Guide" by the word myself (with the hopes of being able to clean up some formatting issues during a clean-up), as well as trying to address some minor fixes that could make further iterative fixes easier.
Author
Contributor
Copy link

@n0toose TOTP section 2 also is just an image with no text. I think this should be left for another PR to address, this one is kinda going off mission I think.

Edits from maintainers are enabled tho if you want to handle this here.

@n0toose TOTP section 2 also is just an image with no text. I think this should be left for another PR to address, this one is kinda going off mission I think. Edits from maintainers are enabled tho if you want to handle this here.
Owner
Copy link

You're right, approving.

You're right, approving.
n0toose marked this conversation as resolved
@ -68,0 +82,4 @@
#### Step 2: Go to the security tab and locate the Security Keys section
Look for `Security"` on the list of settings.
Owner
Copy link

nitpick: typo, it might be best to put a hyperlink leading to that section

nitpick: typo, it might be best to put a hyperlink leading to that section
Author
Contributor
Copy link

I don't know what the best approach would be here. We can go with either making Security a hyperlink or something like (Link to the security section) after "settings"

Typo fixed in 0655c94.

I don't know what the best approach would be here. We can go with either making `Security` a hyperlink or something like `(Link to the security section)` after "settings" Typo fixed in 0655c94.
n0toose marked this conversation as resolved
@ -68,0 +105,4 @@
{% admonition "Tip" %}
You can very likely use your WebAuthn security key in SSH as well, learn more about this on (Adding an SSH key to your account)[/security/ssh-key]).
Owner
Copy link

"in SSH as well" -> "to secure your SSH key"

"in SSH as well" -> "to secure your SSH key"
Author
Contributor
Copy link

Done in 0655c94.

Done in 0655c94.
n0toose marked this conversation as resolved
n0toose left a comment
Copy link

oops :D

oops :D
YellowComet changed title from (削除) WebAuthn (削除ここまで) to Using Security keys on Codeberg 2023年11月25日 17:04:06 +01:00
n0toose left a comment
Copy link

lgtm

lgtm
Sign in to join this conversation.
No reviewers
Labels
Clear labels
Codeberg Pages
Issues affecting Codeberg Pages
Documentation Usability
Issues related to using and reading docs.codeberg.org
Forgejo
Good First Issue! 👋
Kind: Bug
Kind: Documentation
Kind: Enhancement
Kind: Feature
Kind: Question
Kind: Security
Licensing
Part: Generator
This is related to the generation of the documentation, not to the content itself
Priority: High
The priority is high
Priority: Low
The priority is low
Priority: Medium
The priority is medium
Reviewed: Confirmed
Something has been confirmed
Reviewed: Duplicate
Something exists already
Reviewed: Invalid
Something was marked as invalid
Reviewed: Wontfix
Something won't be fixed
Status: Blocked
Status: Help wanted
Contributions are welcome!
Status: In progress
Work is in progress
Status: Needs feedback
Feedback is needed
Status: Ready for Review
Work is completed
Status: Review
Review is in progress / Reviewers wanted
Status: Stale
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Codeberg/Documentation!367
Reference in a new issue
Codeberg/Documentation
No description provided.
Delete branch "YellowComet/Documentation:2fa-webauthn"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?