Offline logon with one-time passwords always poses the problem that the
symmetric key or a certain stock of credentials must be made available on
the system that is to go offline. In version 3.7 of privacyIDEA, Kassel-based
security vendor NetKnights has now made the mechanism by which the notebook
can refill its offline credentials much more robust.
Sensitive data in privacyIDEA has always been stored encrypted in the database.
With version 3.7, it has now become even easier to securely protect the
encryption key using a hardware security module.
Reliable offline logon with notebooks
In conjunction with the existing privacyIDEA Credential Provider, the administrator
can now define which token of a user can be used to log on to a notebook.
Thus, the user has the possibility to log in to the notebook with the second
factor even if the notebook is offline and cannot reach the privacyIDEA server.
It has now become easier for the administrator to make the second factor available
to the user for the offline function. In addition, the functionality that
automatically refills the offline credentials has been designed so that this can
be done with any arbitrary network connection of the notebook.
This ensures a more robust offline operation.
In conjunction with the privacyIDEA Credential Provider, Yubikeys and HOTP tokens
(hardware or smartphone apps) can be used for offline logon to notebooks.
privacyIDEA 3.7 now offers a new way to make the rollout process of HOTP, TOTP, SMS
and email tokens more reliable. In the past, it could happen that users forgot to
scan the QR code during the rollout. By policy, the administrator can now control
that when the QR code is displayed to the user, privacyIDEA will prompt the user
to enter a valid OTP value. Only then is privacyIDEA considers the token as
successfully rolled out.
This allows the IT department to avoid tokens that have been rolled out but cannot be used.
Especially in installations with large numbers of users, this misuse by the end user
could lead to problems in the past. The IT department can thus reduce support
efforts in the future.
Securely protect key material with hardware security module
privacyIDEA has always stored sensitive information encrypted in the database.
The administrator could previously put the encryption key on disk or in a
hardware security module (HSM).
The encryption key in the directory is simple and fast, but less secure.
If the encryption key is in the HSM, this is very secure, but also costly and slower.
privacyIDEA 3.7 now offers the admin a third way to secure the encryption key.
With the new, third variant, the encryption key is decrypted once at system startup
in the HSM and then kept in memory. This allows a reasonable compromise between security and speed.
Thus, even with a limited budget, companies can use simple hardware such as a
YubiHSM or Yubikey to better secure the encryption key with an HSM and increase
their overall security.
You can find all other enhancements and fixes in the changelog on GitHub.
At the same place, all components of privacyIDEA are developed as
open source software under the AGPLv3.
The new version 3.7 of privacyIDEA is now available via the Python Package Index
and in the community repositories for Ubuntu 16.04, 18.04 and 20.04.
Additionally, NetKnights GmbH offers the Enterprise Edition with
support for Ubuntu LTS, RHEL/CentOS and an appliance tool and performs
custom development for special requirements.