Posts

privacyIDEA Authenticator – the better smartphone factor

privacyIDEA Authenticator Smartphone App

The smartphone is our daily tool and the digital copy of our own identity. This is not the place to discuss the social implications. We just state the fact.

The Smartphone as the second factor

Due to this fact many organisations and companies like to use smartphones for a security improved authentication process. The smartphone is “always” with the user and is the device, that is accepted by the user. Using applications like Google Authenticator the smartphone is supposed to become the second factor for authentication. Although the smartphone is obviously not as secure as a dedicated hardware token, the privacyIDEA Authentication System has supported smartphones as  a possible second factor right from the start.

But taking a look at a smartphone app like the Google Authenticator there are some security issues. We discussed this in detail in a previous blog post. The problems with the rollout process using the Key URI defined for the Google Authenticator, finally made us develop our own privacyIDEA Authenticator. As an Open Source company we use the Github-Repository to transparently develop the privacyIDEA Authenticator app.

Secure enrollment

The first and most important feature from the long feature list is securing the enrollment process. To do so, the privacyIDEA Authenticator allows to generate one key component on the smartphone itself and another key component on the privacyIDEA Server. The final OTP seed / key is generated from both components.

This way we avoid the easy cloning of the secret OTP seed during the enrollment process. By cloning the OTP seed users were easily able to create undistinguishable copies of the OTP token and thus making the smartphone as a second factor to identify the user useless. Using the privacyIDEA Authenticator you will be able to leave this problem behind.

Beta testing

The privacyIDEA Authenticator app is backward compatible with Google Authenticator and FreeOTP. Its full potential will be unleashed with the privacyIDEA Server starting with version 2.21. Starting with this version the mentioned two-step-enrollment is supported.

The privacyIDEA Authenticator app is available in a controlled beta state. privacyIDEA 2.21 will be available this month. Using the Python Package Index or the developer PPA repository for Ubuntu 14.04LTS or 16.04LTS you can already install the release candidate of the server.

Install using the Python Package Indes:

pip install privacyidea==2.21dev2

Or install using the PPA respository:

add-apt-repository ppa:privacyidea/privacyidea-dev

You can get more information about the installation in the online documentation.

If you want to test the privacyIDEA Authenticator app you are welcome to drop us a note. We will add you to the beta test. You have the possibility to influence the development of the app. The privacyIDEA Authenticator is currently available for Android. The installation during the beta tests is done via the Google play store. Thus you do not need to change any settings of your smartphone.

Get in touch to be part of the beta test!

privacyIDEA 2.19 – Performance, U2F and secure Smartphone Apps

Today we released privacyIDEA 2.19. Packages are available in the Launchpad-Repos for Ubuntu 14.04LTS and 16.04LTS. You can also install privacyIDEA on any Linux distribution using the python package index.

New Features in privacyIDEA

Authentication performance

privacyIDEA 2.19 is up to 72% faster!

In tests in the lab privacyIDEA 2.19 shows improved performance. Authentication requests are up to 72% faster than in the previous version. This is also due to a new generic user cache. This user cache stores the link between login name and user object in the local SQL database. Thus time consuming requests to the originial user store like LDAP servers or Active Directory get obsolete.

Filter U2F devices for the users

Using policies the administrator can define which type of U2F device the user is allowed to register. In further policies the administrator can also define, which U2F types the users can use to authenticate at certain applications. This way the usage of certain U2F devices can be denied in your company or certain devices from specific vendors can be required for login to sensitive systems.

Secure smartphone apps with privacyIDEA

The classical smartphone app enrollment comes with several problems, which privacyIDEA 2.19 can solve.

In a previous blog post we already pointed out the limitations of the usual smartphone enrollment with the Google Authenticator.  As a company or large organization you want to keep control over the enrollment processes of your users. Thus in version 2.19 of privacyIDEA a better rollout possibility was added. The smartphone and the privacyIDEA server do a mutual key generation. Both create a component, the secret key is generated from both components. This avoids easy copying of the QR-Codes.

Read more details in the privacyIDEA Blog.

More functions

Version 2.19 comes with further detail improvements like using the IP address or the browser user agent in the event handler framework. The date and timeformat was consolidated. Now the complete ISO date with timezone is saved to the database. This heavily eases working across timezones in international setups.

You may want to take a look at the complete Changelog.

Enterprise Edition and Consultancy

NetKnights provides consulting and support with the privacyIDEA Enterprise Edition. Using Open Source you optimize your total cost of ownership this way, that there are no external limitations which dictate how long or short your may use the software. Getting the privacyIDEA Enterprise Edition including an SLA you get the warranty and thus operating safety.

 

You want to stay tuned? Please subscribe to our newsletter!

You want to test the system yourself? Register for a test instance!

You want to know more? Get in touch!