Two-Factor Authentication at the Windows Desktop – Offline

, ,

privacyIDEA Credential Provider Version 3.0 available

As of today the new version 3.0 of the privacyIDEA Credential Provider is available. The privacyIDEA Credential Provider allows users to securely log on to a Windows desktop or terminal server with a second factor. The user can use a smartphone app, a one-time password token, Yubikeys or Nitrokeys. Alternatively, the authentication backend sends the user an email or SMS with a one-time code for the login.

Neu in Version 3.0

The Credential Provider was completely revised in version 3.0 in C++. The new code structure now allows easier customization and faster release cycles.

In version 3.0 the following functions have been added:

Easy Push Authentication

Since version 3, the privacyIDEA backend supports authentication via push tokens, where the user only has to confirm the login by clicking on his smartphone. Now the push authentication is also seamlessly integrated in the credential provider for logging on to the Windows Desktop.

Realm-Mapping for complex scenarios

If users need to log on to multiple domains or multiple realms are managed in privacyIDEA, this is no longer a problem with the new credential provider. In the new version, the administrator can define a flexible mapping from Windows domains to privacyIDEA realms.

Offline: Failsafe and mobile users

The privacyIDEA Credential Provider now supports logon with HOTP tokens when the privacyIDEA server is not reachable. This is useful if the user wants to log on to his notebook with a smartphone HOTP token or with a Yubikey while on the road.

In order to be able to deal with network failures in critical scenarios, the administrator can now also define a privileged account with which the user can log on without authentication against privacyIDEA.

Download

The privacyIDEA Credential Provider is available for download for registered customers. Interested users can evaluate the software in an extensive test phase. Please contact us to obtain a demo version.

About the privacyIDEA Credential Provider

The Credential Provider is installed on Windows client or server systems. During logon, it asks the user for a second factor in addition to the Windows password.

The authentication is carried out against the privacyIDEA backend, in which the administrator manages all user tokens at a central location on Premises.

The administrator can completely customize the appearance of the privacyIDEA Credential Provider to the corporate design. Logos and texts can be adapted according to the corporate design.
The privacyIDEA Credential Provider integrates seamlessly into the existing Windows landscape. It supports Network Level Authentication (NLA), User Access Control (UAC) and Over-The-Shoulder (OTS). The password can be changed both during logon and while unlocking a session.
privacyIDEA Credential Provider is available as a signed MSI package. Companies can thus easily install the software on Windows 8, Windows 10, Server 2012, 2016 and 2019 via their preferred software distribution system.
By authenticating against the privacyIDEA backend, which is available under an open source license and is also operated in the company’s own network, companies not only have freedom of choice when it comes to using the second factors, but also have full control over the entire logon process at all times.

/by

privacyIDEA 3.3 allows central management of WebAuthn tokens

, ,

Kassel, April 6th, 2020 – Open source security specialist NetKnights has released a new version of its multi-factor authentication software privacyIDEA. The new version allows organizations to centrally manage users’ WebAuthn tokens in privacyIDEA, making modern authentication technologies available to the enterprise. A new event handler module will also allow individual connection to central logging systems such as Logstash or Splunk. privacyIDEA 3.3 is now available via the Python Package Index and in repositories for Ubuntu LTS.

WebAuthn as a new authentication method

An important new feature in privacyIDEA 3.3 is support for the WebAuthn protocol. This has been specified by the World Wide Web Consortium (W3C) as a global standard for web-based authentication. privacyIDEA is thus future-proof and will continue to offer the highest flexibility in the selection of modern authentication devices from the Yubikey security token to fingerprints on a smartphone and crypto chips in notebooks.

Users of privacyIDEA can thus achieve a step-by-step modernization of their two-factor authentication by using “old” methods such as SMS, OTP hardware tokens or smartphone apps in parallel with modern methods such as Yubikey, U2F or even WebAuthn, and by gradually replacing them.

Event Handler sends information to Log systems

A great strength of privacyIDEA are the event handlers, with which the administrator can link new actions to events. Version 3.3 offers a new event handler module to forward messages to a central logging system on an event-driven basis. This allows the administrator to store freely definable log information locally and to send it to central logging services for further processing. The developers present the integration using Logstash as an example in the privacyIDEA Community Blog.

New token type for individual rollout scenarios

The IndexedSecret Token is a special type of token that allows users to log on based on existing secret information. This can be particularly useful in complex rollout scenarios.

 

The developers have also optimized and extended the WebUI in several places. The detail view of the policies has been revised to make complex definitions clearer for the administrator. The administrator can now distinguish more precisely between the authorizations of individual administrative users. This is especially useful in larger installations with many administrators or helpdesk employees.

A complete list of changes can be found in the changelog at Github.

Availability

The new version 3.3 of privacyIDEA is now available in the community repositories for Ubuntu 16.04 and 18.04. In addition, NetKnights GmbH offers an Enterprise Edition with support for Ubuntu LTS and RHEL/CentOS and performs custom development for special usage scenarios.

 

Visit our Blog.

Subscribe to our newsletter.

Read the release article at privacyIDEA.org.

/by

privacyIDEA at Chemnitzer Linux Tage 2020

,

Once again, privacyIDEA will be at the Chemnitzer Linux Tage, CLT2020. This time Cornelius Kölbel will talk about two-factor authentication (2FA) in the Single Sign-On (SSO) context.

Talk: Sunday, 17:00 , Room V4

A short paper motivates the use of dedicated 2FA systems as opposed to application-integrated 2FA management. PrivacyIDEA Enterprise Edition represents a professional dedicated 2FA solution and can be used in all types of company networks.

For IT administration, SSO is both an opportunity and a risk. Although users and passwords are managed transparently at a single source, a loss of credentials also means greater damage. A mandatory second factor helps to increase the level of security.

The presentation will show that the system consisting of Keycloak and privacyIDEA forming a 2-factor-enabled identity provider is a solid basis for the secure integration of any SSO-enabled application. One which can also be easily managed and extended.

/by

privacyIDEA at Southern California Linux Expo – SCaLE 18X

,

privacyIDEA is an enterprise ready multi factor solution, that competes with commercial products like RSA SecurID, Vasco or SafeNet to name a few. It is used all over the world by small groups, organizations, companies and enterprises. This is why we also try to talk about privacyIDEA all over the world. To tell IT professionals who have not heart of privacyIDEA about this free (as in free speech) solution and to update users who know privacyIDEA about the latest features. Thus privacyIDEA will be at the Southern California Linux Expo (short: SCaLE 18X) in March 2020.

Talk about migrating to privacyIDEA

Cornelius Kölbel will be giving a talk in the Secuity track on March 8th, 3pm – 4pm. The talk will be about the development of the two factor auth market. Different authentication mechanism where introduced, products came and went end-of-life. Solutions being the top choice a few years ago could be dead tomorrow.

This talk will show how privacyIDEA can help you keeping a steady course in these troubled waters. Migrating to privacyIDEA easily and keeping the system running and adapting to new developments at the same time.

You can read more about challenges with mergers and akquisitions in our previous blog post.

/by

Login at ownCloud using Push notification

,

Using the privacyIDEA ownCloud App users can now login to ownCloud receiving a Push notification on their smartphone. The user logs in to the ownCloud web interface using his username and password. He then receives a push notification on his smartphone. Only after accepting this notification the user is finally logged in to ownCloud.

privacyIDEA ownCloud App in the market place

NetKnights published the privacyIDEA ownCloud App in version 2.6 in the ownCloud market place. Users can now login with a Push notification as second factor to ownCloud.

To achieve this the privacyIDEA server version 3.2 must be installed in the background. Push notifications are sent to smartphones running the privacyIDEA Authenticator App.

Messages between the privacyIDEA server and the smartphone app are digitally signed. This way evesdroppers can not manipulate the communication or run replay attacks.

Get in touch, if you want to add secure login to your company using flexible two factor authentication with privacyIDEA.

/by

Two-Factor-System privacyIDEA 3.2 offers fully customizable authentication workflows

, ,

Kassel, December 2nd, 2019. The open source security specialist NetKnights has released a new version of the multi-factor authentication software “privacyIDEA”. It offers new possibilities to adapt the authentication system by flexible configuration and to integrate it into one’s own workflows.

With version 3.2 of privacyIDEA, the administrator receives two new event handler modules to define rules that can modify both HTTP requests and HTTP responses of the REST API as required. This allows workflows to be highly customized. It is now possible to easily forward audit information to external log management tools such as Splunk or Logstash and process it there. The authentication at the REST-API has been extended so that a robust integration into any other application can be implemented.

privacyIDEA is now available via the Python Package Index and in repositories for Ubuntu LTS.

Two new Event-Handler-Modules improve flexibility

Up to now, the event handler framework had token, script, federation, and statistics handlers in addition to notifications. The request handler and the response handler are now two additional, very flexible modules. These enable the administrator to define rules that change parameters of REST request to privacyIDEA and also the values in the response at will, depending on definable conditions.

The behavior of privacyIDEA can thus be adapted extremely flexibly. Closest application cases are, for example, the secure resetting of passwords, special rollout scenarios or individual authentication rules. The system can thus be adapted to different user requirements and the behaviour and fit into already existing processes.

Audit-Data at your fingertip

privacyIDEA writes log data: Who did what, how and when – including success or failure and additional information – into an internal, structured SQL audit module. From version 3.2 the administrator can also facilitate a file audit module. Its entries can now be easily imported into any log management system such as Splunk or Logstash. This enables companies to correlate events – also from privacyIDEA – and to identify and process problems more easily.

Integrate any privacyIDEA function into your own portals

Via the REST-API privacyIDEA can already be integrated into the portals of a user, for example into a browser-based self-service or internal, existing management portal.

This has become considerably easier with version 3.2 through the use of trusted JSON Web Tokens in privacyIDEA. Any token management function can also be integrated into other applications, which should be particularly interesting for in-house developments. However, it remains the responsibility of the privacyIDEA administrator to grant or withdraw all rights centrally in privacyIDEA.

Many further enhancements

Also the policies, which generally control the behavior of privacyIDEA, were extended. The administrator can now use any HTTP header as a condition for the respective policy.

Event handlers can also use the requesting HTTP client or the rollout state of a token as a condition.

In addition to notification by e-mail and SMS, the notification handler now also contains the option of simply writing messages to files in a spool directory.

The behavior of the PUSH token has also been improved. The authentication process is now designed to integrate more easily with other applications.

In total there were more than 25 extensions and six bug fixes. A complete list of the changes can be found in the changelog at Github.

Install or update privacyIDEA

privacyIDEA 3.2 is now available via the public repositories for Ubuntu 16.04 and 18.04. The software can also be installed on any distribution via the Python Package Index. Enterprise releases for Ubuntu LTS and RHEL/CentOS will follow shortly.

Visit our Blog.

Abonnieren Sie unseren Newsletter.

Lesen Sie die Mitteilung auf privacyIDEA.org.

/by

privacyIDEA Authenticator App with Push for iOS

In combination with privacyIDEA 3.1, the privacyIDEA Authenticator App supports the authentication by using a Push-Token.

The Push-Token

When logging on to e.g. a website, the privacyIDEA backend sends a  cryptographically secured challenge to the user’s smartphone.
The user simply has to confirm the login request on his smartphone. In the background, the smartphone then signs the challenges and sends it back to privacyIDEA. The signature ensures that really this very user has  confirmed the login request.

The user is logged in automatically.

The privacyIDEA Authenticator on iOS

The privacyIDEA Authenticator with the Push functionality is now available for iOS in the Apple App Store.

In addition the privacyIDEA Backend supports a lot of different token types like software-tokens and hardware-tokens, Yubikeys, Nitrokeys and other possibilities. If you want to secure your login in your company with a 2nd factor, please get in touch!

/by

privacyIDEA Enterprise Edition 3.1.1 available

Last week the version 3.1.1 of privacyIDEA was released.
Compared to version 3.1 it fixes a problem in the audit log that the serial numbers
the token was not saved to the audit log.

privacyIDEA 3.1.1 is available via the usual repositories, in the Python Package Index and in the community repositories for Ubuntu.

For enterprise customers privacyIDEA 3.1.1 is also available in the enterprise repositories for Ubuntu,
CentOS/Red Hat Enterprise Linux and the Univention Corporate Server.

You can get more information about the privacyIDEA Enterprise Edition.

/by

privacyIDEA 3.1 released

, ,

NetKnights improves adjustability

Kassel, September 4th 2019. The open source security specialist NetKnights has updated and significantly enhanced its multi-factor authentication software “privacyIDEA”. The new version offers more flexibility to define the rights of users – and administrators – more granularly. The migration of proprietary and legacy systems is significantly simplified.

With the version 3.1 of privacyIDEA it is possible to bind the guidelines for user rights to any user parameters, for example LDAP attributes. In addition, an automatic reassignment of already used tokens eases the migration of other 2FA systems once again significantly. The “old” token PIN of a user can also be automatically adopted without the intervention of the IT department.

More flexibility in the definition of policies

With privacyIDEA, the administrator can now define policies dependent on any attributes. Which attributes these are is defined in extensible modules; in version 3.1 the user module is included. That means, the administrator does not have to bind the policies as before to a complete user source, but can generate a different behavior within a user source and/or user group dependent on the respective LDAP attribute of a user by the policies. For example, a company can enforce that users with access to more sensitive data can only log on with a secure token type, or that users who do not have an e-mail address, for example, are denied certain functions.

At the same time, the new privacyIDEA further expands the separation of special read rights for administrators. The policies can be used to define which administrators or helpdesk staff are allowed to read some configurations or not. The administrators’ read rights on tokens have also been refined. They only have access to the keys assigned to them. This makes it even easier to map client scenarios.

Easier migration through automatic token assignment

privacyIDEA allows a smooth migration of proprietary legacy or 2FA systems. This is relevant when manufacturers stop the development of proprietary systems (“end-of-life”) or products no longer meet the requirements of users.

After the seed files of the old system tokens have been imported into privacyIDEA, the system can immediately assign the tokens to the user in privcayIDEA during the login attempt. At the same time privacyIDEA can set the old Token PIN automatically, without an employee from the IT or the user having to become active for this.

Many additional extensions

The RADIUS Token now supports Challenge-Response. The push token functionality has been enhanced. For example, an authentication request can wait with the response until the push message is confirmed. This facilitates the integration of the privacyIDEA push token into third-party products.

The TiQR token has been extended by several functions that make it more convenient to use. The function of the TiQR token is comparable to that of a push token. However, the challenge is not sent via the push service of a third-party manufacturer, but via a QR code that the user scans. 

The administrator can define a welcome message for the users in the privacyIDEA graphical user interface in order to guide new users better through the rollout process.

Email notifications can now include a variety of new placeholders to better customize the message to the situation. 

The privacyIDEA server can force a token in the privacyIDEA Authenticator App to be protected with a PIN.

Event handler events can now also be connected to the WebUI login.

 

A complete list of the changes can be found in the changelog at Github.

 

Availability

privacyIDEA 3.1 is now available via the public repositories for Ubuntu 16.04 and 18.04. The software can also be installed on any distribution using the Python Package Index.

/by

Consolidation of the market and migrations

IT security is on everyone’s lips today. But everyone understands something different about it: Pen-tests; secure coding or exploits; antivirus, antispam; data protection; still firewalls; security consulting; identity management; authentication. The subject of IT security is a broad spectrum. And that’s why everyone is also concerned with “IT security”. We deal with the special field of secure or strong authentication – multi-factor authentication.

The status quo of proprietary software and the market

IT security companies are often very specialized and therefore rather small companies. A few years ago this was even more true. Many important players in the market had fewer than a few hundred employees worldwide.

But because everyone was talking about IT security, the topic and thus these companies also became more attractive for larger companies and the merry-go-round of mergers and acquisitions picked up speed. Who still does know  Safeword Tokens? Secure Computing, Aladdin, SafeNet, Gemalto, Thales gave and give themselves a lively change of company names and product labels. Aladdin, SafeNet and Gemalto once had their own smartcard products and portfolios. These have now finally merged into Gemalto. 

In a merger, the company also grows its product portfolio. It is like after Christmas – new toys are coming, old ones have to leave the children’s room! And like this the grown company will also clean up its product portfolio. Products like SafeWord 2008, SAM Express and this year SafeNet Authentication Manager (the OTP part) will go end-of-life.

Death in a proprietary world

In the case of proprietary software, end-of-life often means the end of the software. If the manufacturer has licensed the software on a per-user basis, it is not possible for you as a customer to purchase even one additional user license for this software after End-of-Life! If you want to roll out second factors for new users in your company after the End-of-Life, then this is no longer possible. You have only licensed 1000 users? The 1000-and-first user can no longer receive a 2FA token in the old system! License exceeded!

Not only because of the missing support and the missing further development – No, even because of the missing functionality you are forced to migrate away from your existing system.

Manufacturers often offer supposedly attractive migration paths to the other proprietary product in their portfolio. But you know that migrations are expensive and time-consuming.

Pain point: Multi-Factor-Authentication

The migration of a multi-factor system comes with unwanted pain factors. Two-factor authentication usually means the combination of knowledge and some ownership. The ownership factor (Hardware token or a registered smartphone app…) is bound to the backend and simultaneously distributed to the user. Distributed in the field. Worldwide.

In extreme cases, the migration of an ownership factor can mean that the ownership factors distributed out there have to be collected and new ownership factors distributed.

Depending on the number of users, the structure of your company, the workflow of the users, this can be a lengthy, expensive and painful process – even if the new product comes from the same vendor. (It doesn’t come from the same manufacturer, but only from the same portfolio after the merger!)

privacyIDEA

Our employees have been working in the field of two-factor or multi-factor authentication since 2004 and therefore understand the pain of our customers. We have integrated this experience into privacyIDEA.

Already for some time privacyIDEA provides you with a smooth migration. Without any time pressure you run privacyIDEA and your old software in parallel, without the user having to notice anything about it. Step by step you roll out new tokens within privacyIDEA.

With the upcoming version 3.1 it will also be possible to import the seeds of old, existing tokens into privacyIDEA and automatically assign the tokens to the users and set the old token PIN automatically. No need to re-enroll tokens. Nothing to do for the users, minimal effort for the IT.

Many customers, such as Klinikum Hanau, already rely on privacyIDEA and have successfully migrated to privacyIDEA.

Look at the future

And if you want to migrate away from privacyIDEA? Why?

privacyIDEA is Open Source. With privacyIDEA you never meet the fate that you cannot roll out the 1000-and-first user. privacyIDEA is running. Will be running. Forever.

Invest in your future! Invest in Open Source! Invest in privacyIDEA!

/by