ownCloud and privacyIDEA
With ownCloud 9.1 a new authentication framework for two factor authentication provider was introduced.
We implemented the privacyIDEA ownCloud App which connects ownCloud with privacyIDEA. This way you are able to use many different kinds of authentication devices like smartphones, key fob tokens, Smartdisplayer cards, Yubikeys for your users to authenticate at ownCloud. In addition users can use the very same centrally managed token to authenticate at other services like your VPN, Windows Desktop or SSH.
This is a big improvement for your enterprise environment in contrast to only managing second factors within ownCloud.
ownCloud developers have done a great job on providing this 2FA API. Nevertheless while implementing the first external provider (the privacyIDEA ownCloud App) we realized some shortcomings of the API.
Working togeather with ownCloud to improve the Two Factor integration
I was able to work closely togeather with the ownCloud security specialist and the developers to discuss ideas and a strategy for improvements. Thanks a lot for this open mind and the time! We all (ownCloud and NetKnights) are eager to further improve the security and possible integration scenarios of ownCloud.
More information to the user
One idea was to improve the communication with an authentication backend like privacyIDEA. The current implementation only allowed to show “Authentication failed!” in case of an error. But using an external authentication system it sometimes can proove useful to display more information to the user, since authenticating with two factors is a more complex and error prone process. Also on the user side. Furthermore, displaying more information can be necessary when it comes to scenarios like challenge response.
Anyway, this resulted in an improvement of the 2FA API and a pull request to the ownCloud github repository which is planned to be contained in the next ownCloud release 9.2. This way the privacyIDEA ownCloud App can display additional information like “privacyIDEA Server down”, “Internal privacyIDEA Error”, “Wrong OTP value”… Thus the user could fix his problem (by using the correct token or flipping the token upside down…) instead of calling the helpdesk and causing additional costs.
Emails and SMS
Another topic, that was discussed, is the support for external challenge response like SMS, Email or TiQR tokens. While this is still work in progress the discussion showed, that great and sensible solutions and integrations can be achieved when combining ownCloud with privacyIDEA.
Secure your own data, your ownCloud with 2nd factor authentication under your control!