With privacyIDEA ownCloud App version 2.5.1 you gain an even more flexible authentication at ownCloud with a second factor. Users can have more tokens and also more of those so called challenge response-tokens like U2F, Email or SMS. privacyIDEA can handle any combination and the user can choose if he wants to authenticate e.g. with SMS or U2F.

Weeker 2nd factors like SMS are sometimes used as temporary backup for a lost more secure token or are used during an enrollment process.

The privacyIDEA ownCloud App in version 2.5.1 is now available in the ownCloud marketplace for an easy update.

For customers with a critical infrastructure or the need for reliable operations of their ownCloud, we offer support and service level agreements for the privacyIDEA ownCloud App.

We are proud to announce the release of privacyIDEA 3.0 today.

With privacyIDEA 3.0, we are setting the course for a stable future. While many users quickly lose themselves in tempting MFA SaaS offers, we want to continue to give our customers the opportunity to carry out their secure multi-factor authentication with a trustworthy system under their own control, on Premise. To keep it that way in the future, we have worked on several points over the past months. On the surface, they don’t seem to have a wow effect at first, but they give you as a corporate customer what counts for you: Long-term stability!

Python 3

privacyIDEA is written in Python. The Python version 2.7 will not be further developed after 2020. We have written the privacyIDEA 3.0 code to run on both Python 2.7 and Python 3.x. This gives you the confidence that you can switch from Python 2.7 to Python 3 without migration projects and that you can use privacyIDEA relaxed even after 2020. privacyIDEA 3.0 PIP installations can be run on Python 3. However, the Enterprise packages will still be delivered with Python 2.7 and will be changed to Python 3 in the coming months. For you there is nothing else to do except a normal update.

Crypto functions

Under the hood we also exchanged crypto libraries. The old library pycrypto had to give way to the de facto cryptography standard. Signatures and encrypted data now also have their own versioning, so that we are future-proof here if we want to change the way we sign or encrypt data.

Database Schema

We have broken with a design legacy that goes back to the first versions in 2009. Previously, the assignment of a token to the user in the database was stored in the token table itself. This was simple, but not flexible. The assignment is now stored in a separate table. This way we have already prepared the database so that several users can have the same token. This will make it easier for us to develop completely new token types in the future.

Installation variants

We have decided to deliver all installation variants as so-called Python virtualenv. This means in a dedicated directory privacyIDEA brings along all dependencies it needs. Thus in a given version of privacyIDEA always the complete same code will run. No matter if privacyIDEA runs on a Debian, Ubuntu, RHEL or SLES and was installed via pip, apt or yum. This helps to exclude side effects from underlying dependencies. The installations will become more homogeneous and stable. But you can still easily install and update using apt/aptitude or yum.

We will no longer build Ubuntu 14.04LTS packages of privacyIDEA 3.0 and later. But starting with version 3.0 we offer packages for Ubuntu 18.04LTS and 16.04LTS. The packages for Ubuntu can no longer be published in the PPA Launchpad repositories. Rather, we now publish them in a separate repository.

Installation of the new version privacyIDEA 3.0

privacyIDEA 3.0 is the Community Edition, which is available on the Python Package Index and in repositories for Ubuntu 16.04LTS and 18.04LTS.

The Enterprise Edition for enterprise customers will follow in a few weeks as version 3.0.1.

You can read more details on the privacyIDEA project page.

Before installation or update please read the online documentation and the READ_BEFORE_UPDATE.

Secure and trunstworthy authentication at Windows Desktop and Terminal Server

Today we release the version 2.5 of the privacyIDEA Credential Provider. The privacyIDEA Credential Provider requires a user to login to the Windows desktop or terminal server using a 2nd factor. The user could use his smartphone with a smartphone app, a one time password token, a Yubikey or Nitrokey to authenticate. As an alternative the authentication backend can also send an Email or text message, containing a one time code, to the user for login.

The authentication is done against the privacyIDEA authentication system. The administrator can manage and control all authentication devices in this very central location in the own company network.

Authentication under your control

The administrator can adapt the look and feel of the privacyIDEA Credential Provider according to the corporate design. Logos and text can be adapted to fit the authentication policies in your company.

The Credential Provider integrates seemlessly into an existing Windows network. It supports Network Level Authentication (NLA), User Access Control (UAC) and Over-The-Shoulder (OTS). The user can change his domain password during the login process and also during unlocking a locked desktop session.

privacyIDEA Credential Provider comes as an MSI package. Thus it can easily be enrolled using the preferred software deployment system and be installed on Windows 8, Windows 10, Server 2012 and 2016.

By authenticating against the privacyIDEA backend you get the free choice of which user should use which authentication device. Thus you gain the full control of the authentication processes in your organization.

New in der Version 2.5

The core new feature in version 2.5 is a challenge response authentication. This allows the user to also use one time codes sent via Email or SMS to authenticate to the Windows machine.

The privacyIDEA Credential Provider is available for download for registered customers. If you are interested in testing the software you can get a demo copy for an excessive test in your environment.

Today on August, 29th 2018 privacyIDEA 2.23 is released. Packages are available in the public Launchpad-Repositories for Ubuntu 14.04LTS and 16.04LTS. The Multi-Factor Authentication System privacyIDEA can also be installed via the Python Package Index on any other Distributionen.

Automated processes

Event Handlers were already added to privacyIDEA in Version 2.12. They enable the administrator, to connect any event to new actions like user notification, token management or any arbitrary script. If such an event occurrs, the defined action is triggered.

With version 2.23 these actions can now be triggered, before the originial event is processed. We distinguish Post-Event-Handling and Pre-Event-Handling. E.g. the administrator can define, that a user, who has no token assigned and tries to authenticate, gets a new token enrolled. And this newly enrolled token will be directly used during this authentication request. The logon experience for the user is totally transparent. There is no additional effort for the administrator.

This way a lot of tasks, which would otherwise be done manually or called by a script, will be executed automatically just at the right moment within privacyIDEA. This way the administrator can cope with unforeseen scenarios and can automate actions accordingly.

The Pre-Event-Handler ernolls a token for the user, if the user has no token, yet. This token is used in the very same authentication request.

Periodic tasks

In version 2.23 the administrator can define periodic, recurring tasks. Besides these can be used, to gather information about or from the privacyIDEA system. Several modules (“Event Counter”, “Simple Statistics”) are used to define, what should happen periodically.

E.g. using the Statistics Module the administrator can monitor the number of the available (not assigned) hardware tokens. This is often important, so that the administrator know, when he needs to reorder new hardware tokens.

The Event Counter module records how often a certain event has occurred. A simple scenario is to record the numter of failed authentication requests.

privacyIDEA saves all this information to time series. Using tools like Grafana you can plot this to relevant graphs.

Events – like authentication requests – can be recorded and view graphically in a timeline.

 

2FA for the masses

Two-Factor-Authentication is widely spread. A lot of services offer 2FA to their end users. But it is not always possible to use hardware devices. Not every user has a smartphone. Sometimes users to not want to pass their mobile number for SMS tokens – due to privacy concerns. There is not one solution for all. This is the strength of privacyIDEA, you can mix and match a lot of different token types.

With version 2.23 you also get the TAN token. The administrator now can import existing TAN lists into privacyIDEA. This way you can easily add authentication to a huge number of users and you can smoothly migrate from an existing TAN solution to privacyIDEA.

More at Github

You can find the complete Changelog at Github.

In a few weeks the NetKnights GmbH will release privacyIDEA Enterprise Edition 2.23.1. In addition it will be available for RHEL/CentOS 7 and the Univention Corporate Server.

Today we released the version 2.22.1 of the privacyIDEA Enterprise Edition.

If you want to know more about the major changes from 2.21 to this version 2.22.1 please read our previous blog post.

Bug Fixes

In version 2.22.1 bugs in the Web UI and server have been fixed:

  • Login with Challenge Response tokens to the WebUI was improved.
  • The PIN, serial and username handling in the rollout and assignmed was fixed.
  • Annoying output in the browser console was removed.
  • Added check for serial number present.
  • Fixed validation of OCRA and TiQR token.
  • Added retry to cope with HSM issues.
  • Fixed unicode in resolverconf database table with Oracle.
You can find a complete Changelog at github.

About the privacyIDEA Enterprise Edition

The Enterprise Edition is released as version 2.X.1 a few weeks after the public release of version 2.X and contains necessary bug fixes.

The Enterprise Edition of the privacyIDEA Authentication System addresses companies and organizations, that need a reliable and stable update process. It is available for Ubuntu 16.04LTS, CentOS7/RHEL7 and the Univention Corporate Server. It is also available as an Appliance, that allows e.g. a simple setup of a master master replication.

Please get in touch, if you want to learn more or if you want to test the Enterprise Edition.

Today we released the privacyIDEA Authenticator version 1.0. We fixed typos and added a German translation.

The privacyIDEA Authenticator is available via the Google Play Store.

About the privacyIDEA Authenticator

Using the privacyIDEA Authenticator the smartphones of your users become the factor of possession for a secure login. The privacyIDEA Authenticator creates one time passwords according to the HOTP or TOTP algorithms. It is compatible with the Google Authenticator. However, in conjunction with the privacyIDEA Authentication System the privacyIDEA Authenticator also allows for a secure enrollment process. Thus neither the user nor an attacker can simply copy the secret key of the app during the enrollment process.

In privacyIDEA 2.22 the flexibilty of using arbitrary user attributes in the RADIUS protocol was heavily improved. But there are a lot of other features and enhancements. You can find the complete article at privacyidea.org.

The current version 2.21.4 of privacyIDEA Enterprise Edition is now available for Univention Corporate Server.

We already wrote about the new features in privacyIDEA 2.21 in a previous blog post. Now UCS users can also profit from these enhancements. privacyIDEA can be updated from version 2.20.1 to 2.21.4 easily from within the Appcenter.

Secure Rollout of Smartphones

privacyIDEA Authenticator

Using the smartphone and the privacyIDEA Authenticator App users can securely log in to e.g. the company’s VPN.

The most interesting feature of privacyIDEA 2.21.4 is the secure rollout of smartphones. During this process a part of the secret key is generated on the privacyIDEA server and the other part is generated on the privacyIDEA Authenticator App.

The privacyIDEA Authenticator App is currently available for Android phones via the Google Play Store.

You have questions? Ask us!

Today we released the stable version 2.21.1 of the privacyIDEA Enterprise Edition.

The Enterprise Edition as version 2.X.1 is released a few weeks after the corresponding major public release and contains necessary bug fixes. You can read about the features of version 2.21 like the secure smartphone enrollment in our previous blog post.

Version 2.21.1 fixes the following bug:

  • The LDAPS connection to the user directory like OpenLDAP or Active Directory only used TLS1.0. The administrator can now configure the user resolver to also use TLS1.1 or TLS1.2.

About the Enterprise Edition

The Enterprise Edition of the Multi-Factor-Authentication system privacyIDEA is ment for enterprises and organizations, which need a reliable update process. It is available for Ubuntu 16.04LTS, CentOS7, RHEL7 and the Univention Corporate Server. In addition the enterprise edition contains an appliance that helps you quickly and easily set up a high available master-master replication.

Please contact us if you have further questions, if you want to test the enterprise edtion or want to book a workshop.

Today privacyIDEA 2.21 was released. Read about it on the privacyIDEA project page.

With privacyIDEA 2.21 it will be possible to enroll smartphone based tokens in a more secure manner and mitigate the threat of simply copying the QR code of the enrolled token. NetKnights still runs a beta test of a new smartphone app. You are welcome to join the beta test!

Also there are enhancements in the event handlers, the rotating of the audit log and the customization of the UI.

The version 2.21 is available via the Ubuntu repositories for 16.04LTS and 14.04LTS and the python package index as a community version.

The enterprise version 2.21.1 will be realeased in a few weeks. Just contact us for any questions.