Kassel, December 2nd, 2019. The open source security specialist NetKnights has released a new version of the multi-factor authentication software “privacyIDEA”. It offers new possibilities to adapt the authentication system by flexible configuration and to integrate it into one’s own workflows.

With version 3.2 of privacyIDEA, the administrator receives two new event handler modules to define rules that can modify both HTTP requests and HTTP responses of the REST API as required. This allows workflows to be highly customized. It is now possible to easily forward audit information to external log management tools such as Splunk or Logstash and process it there. The authentication at the REST-API has been extended so that a robust integration into any other application can be implemented.

privacyIDEA is now available via the Python Package Index and in repositories for Ubuntu LTS.

Two new Event-Handler-Modules improve flexibility

Up to now, the event handler framework had token, script, federation, and statistics handlers in addition to notifications. The request handler and the response handler are now two additional, very flexible modules. These enable the administrator to define rules that change parameters of REST request to privacyIDEA and also the values in the response at will, depending on definable conditions.

The behavior of privacyIDEA can thus be adapted extremely flexibly. Closest application cases are, for example, the secure resetting of passwords, special rollout scenarios or individual authentication rules. The system can thus be adapted to different user requirements and the behaviour and fit into already existing processes.

Audit-Data at your fingertip

privacyIDEA writes log data: Who did what, how and when – including success or failure and additional information – into an internal, structured SQL audit module. From version 3.2 the administrator can also facilitate a file audit module. Its entries can now be easily imported into any log management system such as Splunk or Logstash. This enables companies to correlate events – also from privacyIDEA – and to identify and process problems more easily.

Integrate any privacyIDEA function into your own portals

Via the REST-API privacyIDEA can already be integrated into the portals of a user, for example into a browser-based self-service or internal, existing management portal.

This has become considerably easier with version 3.2 through the use of trusted JSON Web Tokens in privacyIDEA. Any token management function can also be integrated into other applications, which should be particularly interesting for in-house developments. However, it remains the responsibility of the privacyIDEA administrator to grant or withdraw all rights centrally in privacyIDEA.

Many further enhancements

Also the policies, which generally control the behavior of privacyIDEA, were extended. The administrator can now use any HTTP header as a condition for the respective policy.

Event handlers can also use the requesting HTTP client or the rollout state of a token as a condition.

In addition to notification by e-mail and SMS, the notification handler now also contains the option of simply writing messages to files in a spool directory.

The behavior of the PUSH token has also been improved. The authentication process is now designed to integrate more easily with other applications.

In total there were more than 25 extensions and six bug fixes. A complete list of the changes can be found in the changelog at Github.

Install or update privacyIDEA

privacyIDEA 3.2 is now available via the public repositories for Ubuntu 16.04 and 18.04. The software can also be installed on any distribution via the Python Package Index. Enterprise releases for Ubuntu LTS and RHEL/CentOS will follow shortly.

Visit our Blog.

Abonnieren Sie unseren Newsletter.

Lesen Sie die Mitteilung auf privacyIDEA.org.

NetKnights improves adjustability

Kassel, September 4th 2019. The open source security specialist NetKnights has updated and significantly enhanced its multi-factor authentication software “privacyIDEA”. The new version offers more flexibility to define the rights of users – and administrators – more granularly. The migration of proprietary and legacy systems is significantly simplified.

With the version 3.1 of privacyIDEA it is possible to bind the guidelines for user rights to any user parameters, for example LDAP attributes. In addition, an automatic reassignment of already used tokens eases the migration of other 2FA systems once again significantly. The “old” token PIN of a user can also be automatically adopted without the intervention of the IT department.

More flexibility in the definition of policies

With privacyIDEA, the administrator can now define policies dependent on any attributes. Which attributes these are is defined in extensible modules; in version 3.1 the user module is included. That means, the administrator does not have to bind the policies as before to a complete user source, but can generate a different behavior within a user source and/or user group dependent on the respective LDAP attribute of a user by the policies. For example, a company can enforce that users with access to more sensitive data can only log on with a secure token type, or that users who do not have an e-mail address, for example, are denied certain functions.

At the same time, the new privacyIDEA further expands the separation of special read rights for administrators. The policies can be used to define which administrators or helpdesk staff are allowed to read some configurations or not. The administrators’ read rights on tokens have also been refined. They only have access to the keys assigned to them. This makes it even easier to map client scenarios.

Easier migration through automatic token assignment

privacyIDEA allows a smooth migration of proprietary legacy or 2FA systems. This is relevant when manufacturers stop the development of proprietary systems (“end-of-life”) or products no longer meet the requirements of users.

After the seed files of the old system tokens have been imported into privacyIDEA, the system can immediately assign the tokens to the user in privcayIDEA during the login attempt. At the same time privacyIDEA can set the old Token PIN automatically, without an employee from the IT or the user having to become active for this.

Many additional extensions

The RADIUS Token now supports Challenge-Response. The push token functionality has been enhanced. For example, an authentication request can wait with the response until the push message is confirmed. This facilitates the integration of the privacyIDEA push token into third-party products.

The TiQR token has been extended by several functions that make it more convenient to use. The function of the TiQR token is comparable to that of a push token. However, the challenge is not sent via the push service of a third-party manufacturer, but via a QR code that the user scans. 

The administrator can define a welcome message for the users in the privacyIDEA graphical user interface in order to guide new users better through the rollout process.

Email notifications can now include a variety of new placeholders to better customize the message to the situation. 

The privacyIDEA server can force a token in the privacyIDEA Authenticator App to be protected with a PIN.

Event handler events can now also be connected to the WebUI login.

 

A complete list of the changes can be found in the changelog at Github.

 

Availability

privacyIDEA 3.1 is now available via the public repositories for Ubuntu 16.04 and 18.04. The software can also be installed on any distribution using the Python Package Index.

Secure and trunstworthy authentication at Windows Desktop and Terminal Server

Today we release the version 2.5 of the privacyIDEA Credential Provider. The privacyIDEA Credential Provider requires a user to login to the Windows desktop or terminal server using a 2nd factor. The user could use his smartphone with a smartphone app, a one time password token, a Yubikey or Nitrokey to authenticate. As an alternative the authentication backend can also send an Email or text message, containing a one time code, to the user for login.

The authentication is done against the privacyIDEA authentication system. The administrator can manage and control all authentication devices in this very central location in the own company network.

Authentication under your control

The administrator can adapt the look and feel of the privacyIDEA Credential Provider according to the corporate design. Logos and text can be adapted to fit the authentication policies in your company.

The Credential Provider integrates seemlessly into an existing Windows network. It supports Network Level Authentication (NLA), User Access Control (UAC) and Over-The-Shoulder (OTS). The user can change his domain password during the login process and also during unlocking a locked desktop session.

privacyIDEA Credential Provider comes as an MSI package. Thus it can easily be enrolled using the preferred software deployment system and be installed on Windows 8, Windows 10, Server 2012 and 2016.

By authenticating against the privacyIDEA backend you get the free choice of which user should use which authentication device. Thus you gain the full control of the authentication processes in your organization.

New in der Version 2.5

The core new feature in version 2.5 is a challenge response authentication. This allows the user to also use one time codes sent via Email or SMS to authenticate to the Windows machine.

The privacyIDEA Credential Provider is available for download for registered customers. If you are interested in testing the software you can get a demo copy for an excessive test in your environment.

Kassel, September, 26th 2017. The World Wide Web Consortium (W3C) is implementing privacyIDEA for securing access to their infrastructure with a second factor. The privacyIDEA Authentication System was chosen due to its flexible nature and the possibility to allow a single sign on experience for the users.

The services and especially the users are distributed world wide. Shipping authentication devices centrally is not efficient. Allowing only one type of authentication object is not an option. For W3C this is a big advantage that privacyIDEA can manage many different token type of different vendors at the same time. The lean REST API allows easy integration into their own user portal. W3C connected privacyIDEA to their existing user management. Users will be able to choose if they want to self-enroll Smartphone-Applications or U2F devices. Depending on the device type users gain access to resources of different security levels.

“Working with NetKnights is very effective. They provide just the right amount of consultancy for us to be able to implement the open source software privacyIDEA into our network and in our workflows.” said Ted Guild, Head of W3C Systems. Cornelius Kölbel, CEO at NetKnights, added: “W3C stands for Web standards. So we are very happy that W3C chose privacyIDEA, as this is an open solution, which complies to an open development workflow and open standards.”

About the World Wide Web Consortium (W3C)

The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C standards HTML5 and CSS are the foundational technologies upon which all Web sites are built. For its work to make online videos more accessible with captions and subtitles, W3C received a 2016 Emmy Award.

W3C’s vision for “One Web” brings together thousands of dedicated technologists representing more than 400 member organizations and dozens of industry sectors. Organizationally, W3C is jointly run by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China.

For more information see www.w3.org.

About NetKnights and privacyIDEA

NetKnights GmbH is located in Kassel, Germany. It is an independent IT Security firm, providing services and products in the fields of strong authentication, identity management and encryption. NetKnights employs the core developers of the modular authentication system privacyIDEA.

privacyIDEA is open source software and thus has not vendor defined end of life. Customers can own their privacyIDEA installation and use it without restrictions. NetKnights provides different subscription and support levels of privacyIDEA Enterprise Edition to meet the requirements of companies.

From October 10th-12th NetKnights presents privacyIDEA at the IT security fair it-sa in Nuremberg, Germany, at stand 10.1-208.