Secure and trunstworthy authentication at Windows Desktop and Terminal Server

Today we release the version 2.5 of the privacyIDEA Credential Provider. The privacyIDEA Credential Provider requires a user to login to the Windows desktop or terminal server using a 2nd factor. The user could use his smartphone with a smartphone app, a one time password token, a Yubikey or Nitrokey to authenticate. As an alternative the authentication backend can also send an Email or text message, containing a one time code, to the user for login.

The authentication is done against the privacyIDEA authentication system. The administrator can manage and control all authentication devices in this very central location in the own company network.

Authentication under your control

The administrator can adapt the look and feel of the privacyIDEA Credential Provider according to the corporate design. Logos and text can be adapted to fit the authentication policies in your company.

The Credential Provider integrates seemlessly into an existing Windows network. It supports Network Level Authentication (NLA), User Access Control (UAC) and Over-The-Shoulder (OTS). The user can change his domain password during the login process and also during unlocking a locked desktop session.

privacyIDEA Credential Provider comes as an MSI package. Thus it can easily be enrolled using the preferred software deployment system and be installed on Windows 8, Windows 10, Server 2012 and 2016.

By authenticating against the privacyIDEA backend you get the free choice of which user should use which authentication device. Thus you gain the full control of the authentication processes in your organization.

New in der Version 2.5

The core new feature in version 2.5 is a challenge response authentication. This allows the user to also use one time codes sent via Email or SMS to authenticate to the Windows machine.

The privacyIDEA Credential Provider is available for download for registered customers. If you are interested in testing the software you can get a demo copy for an excessive test in your environment.

Today on August, 29th 2018 privacyIDEA 2.23 is released. Packages are available in the public Launchpad-Repositories for Ubuntu 14.04LTS and 16.04LTS. The Multi-Factor Authentication System privacyIDEA can also be installed via the Python Package Index on any other Distributionen.

Automated processes

Event Handlers were already added to privacyIDEA in Version 2.12. They enable the administrator, to connect any event to new actions like user notification, token management or any arbitrary script. If such an event occurrs, the defined action is triggered.

With version 2.23 these actions can now be triggered, before the originial event is processed. We distinguish Post-Event-Handling and Pre-Event-Handling. E.g. the administrator can define, that a user, who has no token assigned and tries to authenticate, gets a new token enrolled. And this newly enrolled token will be directly used during this authentication request. The logon experience for the user is totally transparent. There is no additional effort for the administrator.

This way a lot of tasks, which would otherwise be done manually or called by a script, will be executed automatically just at the right moment within privacyIDEA. This way the administrator can cope with unforeseen scenarios and can automate actions accordingly.

The Pre-Event-Handler ernolls a token for the user, if the user has no token, yet. This token is used in the very same authentication request.

Periodic tasks

In version 2.23 the administrator can define periodic, recurring tasks. Besides these can be used, to gather information about or from the privacyIDEA system. Several modules (“Event Counter”, “Simple Statistics”) are used to define, what should happen periodically.

E.g. using the Statistics Module the administrator can monitor the number of the available (not assigned) hardware tokens. This is often important, so that the administrator know, when he needs to reorder new hardware tokens.

The Event Counter module records how often a certain event has occurred. A simple scenario is to record the numter of failed authentication requests.

privacyIDEA saves all this information to time series. Using tools like Grafana you can plot this to relevant graphs.

Events – like authentication requests – can be recorded and view graphically in a timeline.

 

2FA for the masses

Two-Factor-Authentication is widely spread. A lot of services offer 2FA to their end users. But it is not always possible to use hardware devices. Not every user has a smartphone. Sometimes users to not want to pass their mobile number for SMS tokens – due to privacy concerns. There is not one solution for all. This is the strength of privacyIDEA, you can mix and match a lot of different token types.

With version 2.23 you also get the TAN token. The administrator now can import existing TAN lists into privacyIDEA. This way you can easily add authentication to a huge number of users and you can smoothly migrate from an existing TAN solution to privacyIDEA.

More at Github

You can find the complete Changelog at Github.

In a few weeks the NetKnights GmbH will release privacyIDEA Enterprise Edition 2.23.1. In addition it will be available for RHEL/CentOS 7 and the Univention Corporate Server.

Today we released the version 2.22.1 of the privacyIDEA Enterprise Edition.

If you want to know more about the major changes from 2.21 to this version 2.22.1 please read our previous blog post.

Bug Fixes

In version 2.22.1 bugs in the Web UI and server have been fixed:

  • Login with Challenge Response tokens to the WebUI was improved.
  • The PIN, serial and username handling in the rollout and assignmed was fixed.
  • Annoying output in the browser console was removed.
  • Added check for serial number present.
  • Fixed validation of OCRA and TiQR token.
  • Added retry to cope with HSM issues.
  • Fixed unicode in resolverconf database table with Oracle.
You can find a complete Changelog at github.

About the privacyIDEA Enterprise Edition

The Enterprise Edition is released as version 2.X.1 a few weeks after the public release of version 2.X and contains necessary bug fixes.

The Enterprise Edition of the privacyIDEA Authentication System addresses companies and organizations, that need a reliable and stable update process. It is available for Ubuntu 16.04LTS, CentOS7/RHEL7 and the Univention Corporate Server. It is also available as an Appliance, that allows e.g. a simple setup of a master master replication.

Please get in touch, if you want to learn more or if you want to test the Enterprise Edition.

Today we released the privacyIDEA Authenticator version 1.0. We fixed typos and added a German translation.

The privacyIDEA Authenticator is available via the Google Play Store.

About the privacyIDEA Authenticator

Using the privacyIDEA Authenticator the smartphones of your users become the factor of possession for a secure login. The privacyIDEA Authenticator creates one time passwords according to the HOTP or TOTP algorithms. It is compatible with the Google Authenticator. However, in conjunction with the privacyIDEA Authentication System the privacyIDEA Authenticator also allows for a secure enrollment process. Thus neither the user nor an attacker can simply copy the secret key of the app during the enrollment process.

In privacyIDEA 2.22 the flexibilty of using arbitrary user attributes in the RADIUS protocol was heavily improved. But there are a lot of other features and enhancements. You can find the complete article at privacyidea.org.

The current version 2.21.4 of privacyIDEA Enterprise Edition is now available for Univention Corporate Server.

We already wrote about the new features in privacyIDEA 2.21 in a previous blog post. Now UCS users can also profit from these enhancements. privacyIDEA can be updated from version 2.20.1 to 2.21.4 easily from within the Appcenter.

Secure Rollout of Smartphones

privacyIDEA Authenticator

Using the smartphone and the privacyIDEA Authenticator App users can securely log in to e.g. the company’s VPN.

The most interesting feature of privacyIDEA 2.21.4 is the secure rollout of smartphones. During this process a part of the secret key is generated on the privacyIDEA server and the other part is generated on the privacyIDEA Authenticator App.

The privacyIDEA Authenticator App is currently available for Android phones via the Google Play Store.

You have questions? Ask us!

Today we released the stable version 2.21.1 of the privacyIDEA Enterprise Edition.

The Enterprise Edition as version 2.X.1 is released a few weeks after the corresponding major public release and contains necessary bug fixes. You can read about the features of version 2.21 like the secure smartphone enrollment in our previous blog post.

Version 2.21.1 fixes the following bug:

  • The LDAPS connection to the user directory like OpenLDAP or Active Directory only used TLS1.0. The administrator can now configure the user resolver to also use TLS1.1 or TLS1.2.

About the Enterprise Edition

The Enterprise Edition of the Multi-Factor-Authentication system privacyIDEA is ment for enterprises and organizations, which need a reliable update process. It is available for Ubuntu 16.04LTS, CentOS7, RHEL7 and the Univention Corporate Server. In addition the enterprise edition contains an appliance that helps you quickly and easily set up a high available master-master replication.

Please contact us if you have further questions, if you want to test the enterprise edtion or want to book a workshop.

Today privacyIDEA 2.21 was released. Read about it on the privacyIDEA project page.

With privacyIDEA 2.21 it will be possible to enroll smartphone based tokens in a more secure manner and mitigate the threat of simply copying the QR code of the enrolled token. NetKnights still runs a beta test of a new smartphone app. You are welcome to join the beta test!

Also there are enhancements in the event handlers, the rotating of the audit log and the customization of the UI.

The version 2.21 is available via the Ubuntu repositories for 16.04LTS and 14.04LTS and the python package index as a community version.

The enterprise version 2.21.1 will be realeased in a few weeks. Just contact us for any questions.

The privacyIDEA Enterprise Edition version 2.20.1 is now available for Univention Corporate Server. You can install or update privacyIDEA 2.20.1 on the UCS easily from the Univention App Center.

Please note that the subscription handling was changed in privacyIDEA4UCS. You now no longer need a special license file but the common subscription file, which is used with the common privacyIDEA Enterprise Edition. Existing clients already received the new subscription file. If you are running tests in a demo environment, you can create your own demo subscription file for privacyIDEA4UCS.

OCRA, Display-TAN and Federation in privacyIDEA 2.20.1

We already posted about the common release of privacyIDEA version 2.20.1. Now also customers running privacyIDEA on UCS can use the awesome new features:

New token types OCRA token and the Display-TAN card are not supported. In contrast to classic authentication scenarios the OCRA token also allows the signing of transaction data. Using an OCRA token the user can testify, that the data set he is sending is correct. The recepient can cryptographically verify, that the received data is still valid and unmodified. This can be used in banking scenarios and other applications, where data must not be modified.

A second main feature is the federation handler. This allows to forward special authentication requests to other, subordinate privacyIDEA systems. This is interesting for federated organizations and infrastructures. Departments may run their own privacyIDEA systems. A central privacyIDEA system in the orgnization can then forward the authentication requests to the corresponding departments.

A complete changelog can be found here.

Get your personal subscription file for privacyIDEA4UCS!

We are happy to answer any of your questions!

 

Today we released the stable version 2.20.1 of the privacyIDEA Enterprise Edition.

The Enterprise Edition as version 2.X.1 is released a few weeks after the corresponding major public release and contains necessary bug fixes. We already wrote about version 2.20.

Version 2.20.1 now fixes some minor bugs:

  • When using PostgreSQL database the administrator can now filter for the data as expected.
  • During enrollment the default realm will be set as default in the UI.
  • Errors with PassOnNoUser and PassOnNoToken were fixed.
  • The genkey parameter during enrollment was consolidated.

The Enterprise Edition of the Multi-Factor-Authentication system privacyIDEA is ment for enterprises and organizations, which need a reliable update process. It is available for Ubuntu 14.04LTS, Ubuntu 16.04LTS, CentOS7, RHEL7 and the Univention Corporate Server.