Today on August, 29th 2018 privacyIDEA 2.23 is released. Packages are available in the public Launchpad-Repositories for Ubuntu 14.04LTS and 16.04LTS. The Multi-Factor Authentication System privacyIDEA can also be installed via the Python Package Index on any other Distributionen.

Automated processes

Event Handlers were already added to privacyIDEA in Version 2.12. They enable the administrator, to connect any event to new actions like user notification, token management or any arbitrary script. If such an event occurrs, the defined action is triggered.

With version 2.23 these actions can now be triggered, before the originial event is processed. We distinguish Post-Event-Handling and Pre-Event-Handling. E.g. the administrator can define, that a user, who has no token assigned and tries to authenticate, gets a new token enrolled. And this newly enrolled token will be directly used during this authentication request. The logon experience for the user is totally transparent. There is no additional effort for the administrator.

This way a lot of tasks, which would otherwise be done manually or called by a script, will be executed automatically just at the right moment within privacyIDEA. This way the administrator can cope with unforeseen scenarios and can automate actions accordingly.

The Pre-Event-Handler ernolls a token for the user, if the user has no token, yet. This token is used in the very same authentication request.

Periodic tasks

In version 2.23 the administrator can define periodic, recurring tasks. Besides these can be used, to gather information about or from the privacyIDEA system. Several modules (“Event Counter”, “Simple Statistics”) are used to define, what should happen periodically.

E.g. using the Statistics Module the administrator can monitor the number of the available (not assigned) hardware tokens. This is often important, so that the administrator know, when he needs to reorder new hardware tokens.

The Event Counter module records how often a certain event has occurred. A simple scenario is to record the numter of failed authentication requests.

privacyIDEA saves all this information to time series. Using tools like Grafana you can plot this to relevant graphs.

Events – like authentication requests – can be recorded and view graphically in a timeline.

 

2FA for the masses

Two-Factor-Authentication is widely spread. A lot of services offer 2FA to their end users. But it is not always possible to use hardware devices. Not every user has a smartphone. Sometimes users to not want to pass their mobile number for SMS tokens – due to privacy concerns. There is not one solution for all. This is the strength of privacyIDEA, you can mix and match a lot of different token types.

With version 2.23 you also get the TAN token. The administrator now can import existing TAN lists into privacyIDEA. This way you can easily add authentication to a huge number of users and you can smoothly migrate from an existing TAN solution to privacyIDEA.

More at Github

You can find the complete Changelog at Github.

In a few weeks the NetKnights GmbH will release privacyIDEA Enterprise Edition 2.23.1. In addition it will be available for RHEL/CentOS 7 and the Univention Corporate Server.

Today we released the version 2.22.1 of the privacyIDEA Enterprise Edition.

If you want to know more about the major changes from 2.21 to this version 2.22.1 please read our previous blog post.

Bug Fixes

In version 2.22.1 bugs in the Web UI and server have been fixed:

  • Login with Challenge Response tokens to the WebUI was improved.
  • The PIN, serial and username handling in the rollout and assignmed was fixed.
  • Annoying output in the browser console was removed.
  • Added check for serial number present.
  • Fixed validation of OCRA and TiQR token.
  • Added retry to cope with HSM issues.
  • Fixed unicode in resolverconf database table with Oracle.
You can find a complete Changelog at github.

About the privacyIDEA Enterprise Edition

The Enterprise Edition is released as version 2.X.1 a few weeks after the public release of version 2.X and contains necessary bug fixes.

The Enterprise Edition of the privacyIDEA Authentication System addresses companies and organizations, that need a reliable and stable update process. It is available for Ubuntu 16.04LTS, CentOS7/RHEL7 and the Univention Corporate Server. It is also available as an Appliance, that allows e.g. a simple setup of a master master replication.

Please get in touch, if you want to learn more or if you want to test the Enterprise Edition.

Today we released the privacyIDEA Authenticator version 1.0. We fixed typos and added a German translation.

The privacyIDEA Authenticator is available via the Google Play Store.

About the privacyIDEA Authenticator

Using the privacyIDEA Authenticator the smartphones of your users become the factor of possession for a secure login. The privacyIDEA Authenticator creates one time passwords according to the HOTP or TOTP algorithms. It is compatible with the Google Authenticator. However, in conjunction with the privacyIDEA Authentication System the privacyIDEA Authenticator also allows for a secure enrollment process. Thus neither the user nor an attacker can simply copy the secret key of the app during the enrollment process.

In privacyIDEA 2.22 the flexibilty of using arbitrary user attributes in the RADIUS protocol was heavily improved. But there are a lot of other features and enhancements. You can find the complete article at privacyidea.org.

The current version 2.21.4 of privacyIDEA Enterprise Edition is now available for Univention Corporate Server.

We already wrote about the new features in privacyIDEA 2.21 in a previous blog post. Now UCS users can also profit from these enhancements. privacyIDEA can be updated from version 2.20.1 to 2.21.4 easily from within the Appcenter.

Secure Rollout of Smartphones

privacyIDEA Authenticator

Using the smartphone and the privacyIDEA Authenticator App users can securely log in to e.g. the company’s VPN.

The most interesting feature of privacyIDEA 2.21.4 is the secure rollout of smartphones. During this process a part of the secret key is generated on the privacyIDEA server and the other part is generated on the privacyIDEA Authenticator App.

The privacyIDEA Authenticator App is currently available for Android phones via the Google Play Store.

You have questions? Ask us!

Today we released the stable version 2.21.1 of the privacyIDEA Enterprise Edition.

The Enterprise Edition as version 2.X.1 is released a few weeks after the corresponding major public release and contains necessary bug fixes. You can read about the features of version 2.21 like the secure smartphone enrollment in our previous blog post.

Version 2.21.1 fixes the following bug:

  • The LDAPS connection to the user directory like OpenLDAP or Active Directory only used TLS1.0. The administrator can now configure the user resolver to also use TLS1.1 or TLS1.2.

About the Enterprise Edition

The Enterprise Edition of the Multi-Factor-Authentication system privacyIDEA is ment for enterprises and organizations, which need a reliable update process. It is available for Ubuntu 16.04LTS, CentOS7, RHEL7 and the Univention Corporate Server. In addition the enterprise edition contains an appliance that helps you quickly and easily set up a high available master-master replication.

Please contact us if you have further questions, if you want to test the enterprise edtion or want to book a workshop.

Today privacyIDEA 2.21 was released. Read about it on the privacyIDEA project page.

With privacyIDEA 2.21 it will be possible to enroll smartphone based tokens in a more secure manner and mitigate the threat of simply copying the QR code of the enrolled token. NetKnights still runs a beta test of a new smartphone app. You are welcome to join the beta test!

Also there are enhancements in the event handlers, the rotating of the audit log and the customization of the UI.

The version 2.21 is available via the Ubuntu repositories for 16.04LTS and 14.04LTS and the python package index as a community version.

The enterprise version 2.21.1 will be realeased in a few weeks. Just contact us for any questions.

The privacyIDEA Enterprise Edition version 2.20.1 is now available for Univention Corporate Server. You can install or update privacyIDEA 2.20.1 on the UCS easily from the Univention App Center.

Please note that the subscription handling was changed in privacyIDEA4UCS. You now no longer need a special license file but the common subscription file, which is used with the common privacyIDEA Enterprise Edition. Existing clients already received the new subscription file. If you are running tests in a demo environment, you can create your own demo subscription file for privacyIDEA4UCS.

OCRA, Display-TAN and Federation in privacyIDEA 2.20.1

We already posted about the common release of privacyIDEA version 2.20.1. Now also customers running privacyIDEA on UCS can use the awesome new features:

New token types OCRA token and the Display-TAN card are not supported. In contrast to classic authentication scenarios the OCRA token also allows the signing of transaction data. Using an OCRA token the user can testify, that the data set he is sending is correct. The recepient can cryptographically verify, that the received data is still valid and unmodified. This can be used in banking scenarios and other applications, where data must not be modified.

A second main feature is the federation handler. This allows to forward special authentication requests to other, subordinate privacyIDEA systems. This is interesting for federated organizations and infrastructures. Departments may run their own privacyIDEA systems. A central privacyIDEA system in the orgnization can then forward the authentication requests to the corresponding departments.

A complete changelog can be found here.

Get your personal subscription file for privacyIDEA4UCS!

We are happy to answer any of your questions!

 

Today we released the stable version 2.20.1 of the privacyIDEA Enterprise Edition.

The Enterprise Edition as version 2.X.1 is released a few weeks after the corresponding major public release and contains necessary bug fixes. We already wrote about version 2.20.

Version 2.20.1 now fixes some minor bugs:

  • When using PostgreSQL database the administrator can now filter for the data as expected.
  • During enrollment the default realm will be set as default in the UI.
  • Errors with PassOnNoUser and PassOnNoToken were fixed.
  • The genkey parameter during enrollment was consolidated.

The Enterprise Edition of the Multi-Factor-Authentication system privacyIDEA is ment for enterprises and organizations, which need a reliable update process. It is available for Ubuntu 14.04LTS, Ubuntu 16.04LTS, CentOS7, RHEL7 and the Univention Corporate Server.

Today we released privacyIDEA 2.20. Packages are publically available in the Laundpad repositories for Ubuntu 14.04LTS and 16.04LTS. You can also install the new version via the Python Package Index on any other distribution.

New Features in privacyIDEA

Federation-Handler

The new federation handler allows to forward authentication requests to sibling privacyIDEA instances.

This way you can setup network structures, where brances of an enterprise or sub organizations can run their own privacyIDEA instance under their own control. Authentication requests will be handled by a central privacyIDEA instance and forwarded to the corresponding instance, where the user and the user’s tokens are managed.

This way business devisions, departments or sub contractors can manage the tokens of their own employees.

The federation handler also offers new possibilities and business models for service providers.

New token type OCRA and DisplayTAN

In version 2.20 we also added the basic token type OCRA and the special type DisplayTAN. The DisplayTAN is a hardware card, which can communitcate with a smartphone via Bluetooth LE. This way the OCRA challenge is sent to the card, the user can check the challenge data and the card will generate an OTP value as response.

OCRA is specified in RFC 6287. A common use case is signing bank transactions. This way a TAN (OTP value) can be generated in hardware, and this TAN totally depends on the transaction information. Thus privacyIDEA can be perfectly used to manage authentication and signing devices for banking scenarios. We already talked about this in a previous blog post.

Login with different login names

The LDAP resolver now allows that a user can login with different LDAP attributes. The administrator can specify the list of attributes, which may be used as login names. This way an user can choose if he will login with the sAMAccountNAme, the email address or a telephone number.

Authentication cache

The administrator can now define if and how long succesful authentication should be cached. This way it is possible for a certain amount of time to authenticate with the very same OTP value again. Yes, this is not the original idea of OTP. But certain specific applications may need such a functionality. This behaviour is specified in an authentication policy, which can also depend on time and client IP.

More functions

Many policies now allow to use resolvers in the policy definition. This way the administrator can define the behaviour of privacyIDEA depending on user groups in detail.

During the rollout process of smartphone tokens, privacyIDEA display a QR-Code to the user. If the user is in doubt, that the QR-Code may be also seen by an attacker, he can now immediately regenerate the QR-Code.

All event handler definitions can now be ordered to your needs. This way the administrator can precisely define the behaviour and reaction of privacyIDEA.

The conditions of event handlers may now contain times and time deltas.

Challenge Response tokens can now be used to unlock the UI.

While installing Ubuntu packages, a PGP key pair is generated. The public PGP key can be easily used to encrypt the seed files before importing tokens.

You can find a complete changelog at Github.

Enterprise Edition and Consultancy

NetKnights provides consulting and support with the privacyIDEA Enterprise Edition. Using Open Source you optimize your total cost of ownership this way, that there are no external limitations which dictate how long or short your may use the software. Getting the privacyIDEA Enterprise Edition including an SLA you get the warranty and thus operating safety.

You want to stay tuned? Please subscribe to our newsletter!

You want to know more? Get in touch!