In combination with privacyIDEA 3.1, the privacyIDEA Authenticator App supports the authentication by using a Push-Token.

The Push-Token

When logging on to e.g. a website, the privacyIDEA backend sends a  cryptographically secured challenge to the user’s smartphone.
The user simply has to confirm the login request on his smartphone. In the background, the smartphone then signs the challenges and sends it back to privacyIDEA. The signature ensures that really this very user has  confirmed the login request.

The user is logged in automatically.

The privacyIDEA Authenticator on iOS

The privacyIDEA Authenticator with the Push functionality is now available for iOS in the Apple App Store.

In addition the privacyIDEA Backend supports a lot of different token types like software-tokens and hardware-tokens, Yubikeys, Nitrokeys and other possibilities. If you want to secure your login in your company with a 2nd factor, please get in touch!

Last week the version 3.1.1 of privacyIDEA was released.
Compared to version 3.1 it fixes a problem in the audit log that the serial numbers
the token was not saved to the audit log.

privacyIDEA 3.1.1 is available via the usual repositories, in the Python Package Index and in the community repositories for Ubuntu.

For enterprise customers privacyIDEA 3.1.1 is also available in the enterprise repositories for Ubuntu,
CentOS/Red Hat Enterprise Linux and the Univention Corporate Server.

You can get more information about the privacyIDEA Enterprise Edition.

NetKnights improves adjustability

Kassel, September 4th 2019. The open source security specialist NetKnights has updated and significantly enhanced its multi-factor authentication software “privacyIDEA”. The new version offers more flexibility to define the rights of users – and administrators – more granularly. The migration of proprietary and legacy systems is significantly simplified.

With the version 3.1 of privacyIDEA it is possible to bind the guidelines for user rights to any user parameters, for example LDAP attributes. In addition, an automatic reassignment of already used tokens eases the migration of other 2FA systems once again significantly. The “old” token PIN of a user can also be automatically adopted without the intervention of the IT department.

More flexibility in the definition of policies

With privacyIDEA, the administrator can now define policies dependent on any attributes. Which attributes these are is defined in extensible modules; in version 3.1 the user module is included. That means, the administrator does not have to bind the policies as before to a complete user source, but can generate a different behavior within a user source and/or user group dependent on the respective LDAP attribute of a user by the policies. For example, a company can enforce that users with access to more sensitive data can only log on with a secure token type, or that users who do not have an e-mail address, for example, are denied certain functions.

At the same time, the new privacyIDEA further expands the separation of special read rights for administrators. The policies can be used to define which administrators or helpdesk staff are allowed to read some configurations or not. The administrators’ read rights on tokens have also been refined. They only have access to the keys assigned to them. This makes it even easier to map client scenarios.

Easier migration through automatic token assignment

privacyIDEA allows a smooth migration of proprietary legacy or 2FA systems. This is relevant when manufacturers stop the development of proprietary systems (“end-of-life”) or products no longer meet the requirements of users.

After the seed files of the old system tokens have been imported into privacyIDEA, the system can immediately assign the tokens to the user in privcayIDEA during the login attempt. At the same time privacyIDEA can set the old Token PIN automatically, without an employee from the IT or the user having to become active for this.

Many additional extensions

The RADIUS Token now supports Challenge-Response. The push token functionality has been enhanced. For example, an authentication request can wait with the response until the push message is confirmed. This facilitates the integration of the privacyIDEA push token into third-party products.

The TiQR token has been extended by several functions that make it more convenient to use. The function of the TiQR token is comparable to that of a push token. However, the challenge is not sent via the push service of a third-party manufacturer, but via a QR code that the user scans. 

The administrator can define a welcome message for the users in the privacyIDEA graphical user interface in order to guide new users better through the rollout process.

Email notifications can now include a variety of new placeholders to better customize the message to the situation. 

The privacyIDEA server can force a token in the privacyIDEA Authenticator App to be protected with a PIN.

Event handler events can now also be connected to the WebUI login.

 

A complete list of the changes can be found in the changelog at Github.

 

Availability

privacyIDEA 3.1 is now available via the public repositories for Ubuntu 16.04 and 18.04. The software can also be installed on any distribution using the Python Package Index.

NetKnights will again be exhibiting at the business fair it-sa in Nuremberg this year.

From October 8th to 10th 2019, the who-is-who of German and international IT security providers will meet at the Nuremberg Exhibition Centre. Visitors will have the opportunity to get first-hand information about innovations and roadmaps of the security products.

NetKnights will be co-exhibiting with ownCloud in Hall 10.0, Stand 412. There we will present the multi-factor authentication system privacyIDEA, which can extend ownCloud in corporate environments by various second factors and thus reliably protect your business-critical data. Once rolled out in your company, privacyIDEA also allows secure login to other web applications, remote login, VPN, desktops and terminal servers…

Drop us a note and set up a meeting to discuss, how privacyIDEA can help to increase logon security in your network.

In September the anual ownCloud Conference is held in Nuremberg, Germany. There companies that use ownCloud, developers from the community or ownCloud partners meet to hear about new developments and plans and to exchange their experiences.

ownCloud is an important partner to NetKnights. The privacyIDEA ownCloud Plugin is a stable software, which allows to enhance ownCloud with many different types of two factor authentication. A lot of companies and customers are using this privacyIDEA component, to protect the web access to their ownCloud installation.

Talk and stand

NetKnights will have a stand, a demo point where you can take a look at ownCloud in combination with privacyIDEA, check the different two factor mechnisms and ask us all your questions about 2FA with ownCloud.

We will also present new features like authenticating at ownCloud with the new privacyIDEA Push Token. In this case, after the user has authenticated with his username and password at the ownCloud Web UI, he gets a notification on his smartphone, which he simply has to confirm and then he will be logged in.

 

Cornelius Kölbel will also give a talk about this topic on September 18th. And he will also show, how the Push Token mechanism can be combined with any other two factor authentication mechanism in privacyIDEA like HOTP, TOTP, Yubikey, Email, SMS…

 

Contact

Ask us, if you already have questions upfront or if you want to make up an appointment at the ownCloud Conference.

privacyIDEA will be present at the Texas LinuxFest in Dallas on May 31st and June 1st.

Cornelius Kölbel will conduct a workshow in which participants will install the multi-factor authentication system privacyIDEA in an existing network, read users from an AD, assign tokens and extend access to ownCloud, NGinX or SSH to include two-factor authentication. Single Sign On is an important mechanism for making users’ lives easier. But protecting this single login is all the more important. Protect SSO with a second factor. The workshop will look at two-factor authentication with privacyIDEA on Keycloak or simpleSAMLphp.

The next day, Cornelius Kölbel will give a talk on how companies and larger user groups can easily migrate an existing 2FA solution to privacyIDEA.

If you are interested in these topics, please do not hesitate to contact us.

Today the privacyIDEA Enterprise Edition 3.0.1 was published. It is the stable bug-fixing release for our enterprise customers which fixes problems from version 3.0.

Push Token

For the new push token function, errors have been fixed and operability has been improved.

  • Add logic checking to setup of PUSH token (#1592)
  • Remove double enrollment notification of PUSH token in WebUI (#1598)
  • Fix to allow spaces in Firebase configuration (#1599)
  • Add support for iOS Firebase configuration (#1608)
  • Fix to allow PUSH token enrollment, even with Label-policy (#1589)
  • Fix to mark PUSH token challenge answered in the database (#1584)

(The numbers in brackets indicate the Github-Issues)

Stable Enterpsie Edition

In addition, the following issues have been fixed or functionality has been improved:

  • Fix the validity period of the registration token (#1587)
  • Beautify the vertical alignment in the Web UI top menu (#1559)
  • Fix user cache configuration read – defaults to 0 (#1596)
  • Remove links in audit log for normal users (#1497)
  • Check UI rights for user resolvers (#1496)
  • Fix placeholder in realm dropdown in login dialog (#1498)
  • Fix enckey creation in Python 3 (#1594)
  • Allow the usage if “browserLanguage” in custom templates (#1620)
  • Open all accordions when searching for policy action (#1558)
  • Fix to hide support links also in menu (#1626)

Secure your network

Version 3.0.1 is publicly available and can be easily installed via the Python Package Index or via repositories for Ubuntu 16.04LTS and 18.04LTS.

Our enterprise customers have been informed about the updates. They also have a repository for Red Hat Enterprise Linux 7 and an appliance application at their disposal. If you are interested in the Enterprise Edition, click here to learn more.

If you want to stay up to date, please subscribe to our newsletter.

With privacyIDEA ownCloud App version 2.5.1 you gain an even more flexible authentication at ownCloud with a second factor. Users can have more tokens and also more of those so called challenge response-tokens like U2F, Email or SMS. privacyIDEA can handle any combination and the user can choose if he wants to authenticate e.g. with SMS or U2F.

Weeker 2nd factors like SMS are sometimes used as temporary backup for a lost more secure token or are used during an enrollment process.

The privacyIDEA ownCloud App in version 2.5.1 is now available in the ownCloud marketplace for an easy update.

For customers with a critical infrastructure or the need for reliable operations of their ownCloud, we offer support and service level agreements for the privacyIDEA ownCloud App.

We are proud to announce the release of privacyIDEA 3.0 today.

With privacyIDEA 3.0, we are setting the course for a stable future. While many users quickly lose themselves in tempting MFA SaaS offers, we want to continue to give our customers the opportunity to carry out their secure multi-factor authentication with a trustworthy system under their own control, on Premise. To keep it that way in the future, we have worked on several points over the past months. On the surface, they don’t seem to have a wow effect at first, but they give you as a corporate customer what counts for you: Long-term stability!

Python 3

privacyIDEA is written in Python. The Python version 2.7 will not be further developed after 2020. We have written the privacyIDEA 3.0 code to run on both Python 2.7 and Python 3.x. This gives you the confidence that you can switch from Python 2.7 to Python 3 without migration projects and that you can use privacyIDEA relaxed even after 2020. privacyIDEA 3.0 PIP installations can be run on Python 3. However, the Enterprise packages will still be delivered with Python 2.7 and will be changed to Python 3 in the coming months. For you there is nothing else to do except a normal update.

Crypto functions

Under the hood we also exchanged crypto libraries. The old library pycrypto had to give way to the de facto cryptography standard. Signatures and encrypted data now also have their own versioning, so that we are future-proof here if we want to change the way we sign or encrypt data.

Database Schema

We have broken with a design legacy that goes back to the first versions in 2009. Previously, the assignment of a token to the user in the database was stored in the token table itself. This was simple, but not flexible. The assignment is now stored in a separate table. This way we have already prepared the database so that several users can have the same token. This will make it easier for us to develop completely new token types in the future.

Installation variants

We have decided to deliver all installation variants as so-called Python virtualenv. This means in a dedicated directory privacyIDEA brings along all dependencies it needs. Thus in a given version of privacyIDEA always the complete same code will run. No matter if privacyIDEA runs on a Debian, Ubuntu, RHEL or SLES and was installed via pip, apt or yum. This helps to exclude side effects from underlying dependencies. The installations will become more homogeneous and stable. But you can still easily install and update using apt/aptitude or yum.

We will no longer build Ubuntu 14.04LTS packages of privacyIDEA 3.0 and later. But starting with version 3.0 we offer packages for Ubuntu 18.04LTS and 16.04LTS. The packages for Ubuntu can no longer be published in the PPA Launchpad repositories. Rather, we now publish them in a separate repository.

Installation of the new version privacyIDEA 3.0

privacyIDEA 3.0 is the Community Edition, which is available on the Python Package Index and in repositories for Ubuntu 16.04LTS and 18.04LTS.

The Enterprise Edition for enterprise customers will follow in a few weeks as version 3.0.1.

You can read more details on the privacyIDEA project page.

Before installation or update please read the online documentation and the READ_BEFORE_UPDATE.

With the new version 2.5 of the privacyIDEA ownCloud plugin, the administrator can now decide in which case he wants users to authenticate with a second factor and when one factor is enough.

The administrator can make this dependent on the IP address of the requesting client. For example, he can force access from the internet to be protected with a second factor, while access from clients in the internal network would not require a second factor.

The privacyIDEA ownCloud plugin is now available via the ownCloud Marketplace and can be installed directly from with your ownCloud instance.

Cornelius Kölbel will give a talk about two factor authentication at ownCloud with privacyIDEA at FOSDEM this sunday.