Posts

Two factor authentication for thousands of users

,

If a company or an organization wants to provide two factor authentication for thousands of users they are faced with totally new challenges.

Users will not come to the administrators desk. The administrator will not enroll a hardware token or initialize the user’s smartphone with the Google Authenticator on a per user basis. There are so many users, that the administrators or helpdesk users do not even know all the end users anymore. There must be a solution, that the enrollment process itself hands the authentication object to the user and ensures the identity of the user – preferably automatically!

Users might be spread over cities, countries – worldwide. They are ordinary end users and often not computer savvy. The rollout and the usage of two factor authentication should bother neither the end user nor the IT department too much.

Read more

/by

privacyIDEA Enterprise Edition 2.21.1

,

Today we released the stable version 2.21.1 of the privacyIDEA Enterprise Edition.

The Enterprise Edition as version 2.X.1 is released a few weeks after the corresponding major public release and contains necessary bug fixes. You can read about the features of version 2.21 like the secure smartphone enrollment in our previous blog post.

Version 2.21.1 fixes the following bug:

  • The LDAPS connection to the user directory like OpenLDAP or Active Directory only used TLS1.0. The administrator can now configure the user resolver to also use TLS1.1 or TLS1.2.

About the Enterprise Edition

The Enterprise Edition of the Multi-Factor-Authentication system privacyIDEA is ment for enterprises and organizations, which need a reliable update process. It is available for Ubuntu 16.04LTS, CentOS7, RHEL7 and the Univention Corporate Server. In addition the enterprise edition contains an appliance that helps you quickly and easily set up a high available master-master replication.

Please contact us if you have further questions, if you want to test the enterprise edtion or want to book a workshop.

/by

Transaction signature and federated authentication with privacyIDEA4UCS 2.20.1

,

The privacyIDEA Enterprise Edition version 2.20.1 is now available for Univention Corporate Server. You can install or update privacyIDEA 2.20.1 on the UCS easily from the Univention App Center.

Please note that the subscription handling was changed in privacyIDEA4UCS. You now no longer need a special license file but the common subscription file, which is used with the common privacyIDEA Enterprise Edition. Existing clients already received the new subscription file. If you are running tests in a demo environment, you can create your own demo subscription file for privacyIDEA4UCS.

OCRA, Display-TAN and Federation in privacyIDEA 2.20.1

We already posted about the common release of privacyIDEA version 2.20.1. Now also customers running privacyIDEA on UCS can use the awesome new features:

New token types OCRA token and the Display-TAN card are not supported. In contrast to classic authentication scenarios the OCRA token also allows the signing of transaction data. Using an OCRA token the user can testify, that the data set he is sending is correct. The recepient can cryptographically verify, that the received data is still valid and unmodified. This can be used in banking scenarios and other applications, where data must not be modified.

A second main feature is the federation handler. This allows to forward special authentication requests to other, subordinate privacyIDEA systems. This is interesting for federated organizations and infrastructures. Departments may run their own privacyIDEA systems. A central privacyIDEA system in the orgnization can then forward the authentication requests to the corresponding departments.

A complete changelog can be found here.

Get your personal subscription file for privacyIDEA4UCS!

We are happy to answer any of your questions!

 

/by

Federated authentication with privacyIDEA 2.20

,

Today we released privacyIDEA 2.20. Packages are publically available in the Laundpad repositories for Ubuntu 14.04LTS and 16.04LTS. You can also install the new version via the Python Package Index on any other distribution.

New Features in privacyIDEA

Federation-Handler

The new federation handler allows to forward authentication requests to sibling privacyIDEA instances.

This way you can setup network structures, where brances of an enterprise or sub organizations can run their own privacyIDEA instance under their own control. Authentication requests will be handled by a central privacyIDEA instance and forwarded to the corresponding instance, where the user and the user’s tokens are managed.

This way business devisions, departments or sub contractors can manage the tokens of their own employees.

The federation handler also offers new possibilities and business models for service providers.

New token type OCRA and DisplayTAN

In version 2.20 we also added the basic token type OCRA and the special type DisplayTAN. The DisplayTAN is a hardware card, which can communitcate with a smartphone via Bluetooth LE. This way the OCRA challenge is sent to the card, the user can check the challenge data and the card will generate an OTP value as response.

OCRA is specified in RFC 6287. A common use case is signing bank transactions. This way a TAN (OTP value) can be generated in hardware, and this TAN totally depends on the transaction information. Thus privacyIDEA can be perfectly used to manage authentication and signing devices for banking scenarios. We already talked about this in a previous blog post.

Login with different login names

The LDAP resolver now allows that a user can login with different LDAP attributes. The administrator can specify the list of attributes, which may be used as login names. This way an user can choose if he will login with the sAMAccountNAme, the email address or a telephone number.

Authentication cache

The administrator can now define if and how long succesful authentication should be cached. This way it is possible for a certain amount of time to authenticate with the very same OTP value again. Yes, this is not the original idea of OTP. But certain specific applications may need such a functionality. This behaviour is specified in an authentication policy, which can also depend on time and client IP.

More functions

Many policies now allow to use resolvers in the policy definition. This way the administrator can define the behaviour of privacyIDEA depending on user groups in detail.

During the rollout process of smartphone tokens, privacyIDEA display a QR-Code to the user. If the user is in doubt, that the QR-Code may be also seen by an attacker, he can now immediately regenerate the QR-Code.

All event handler definitions can now be ordered to your needs. This way the administrator can precisely define the behaviour and reaction of privacyIDEA.

The conditions of event handlers may now contain times and time deltas.

Challenge Response tokens can now be used to unlock the UI.

While installing Ubuntu packages, a PGP key pair is generated. The public PGP key can be easily used to encrypt the seed files before importing tokens.

You can find a complete changelog at Github.

Enterprise Edition and Consultancy

NetKnights provides consulting and support with the privacyIDEA Enterprise Edition. Using Open Source you optimize your total cost of ownership this way, that there are no external limitations which dictate how long or short your may use the software. Getting the privacyIDEA Enterprise Edition including an SLA you get the warranty and thus operating safety.

You want to stay tuned? Please subscribe to our newsletter!

You want to know more? Get in touch!

 

/by

World Wide Web Consortium is enrolling 2FA using privacyIDEA

,

Kassel, September, 26th 2017. The World Wide Web Consortium (W3C) is implementing privacyIDEA for securing access to their infrastructure with a second factor. The privacyIDEA Authentication System was chosen due to its flexible nature and the possibility to allow a single sign on experience for the users.

The services and especially the users are distributed world wide. Shipping authentication devices centrally is not efficient. Allowing only one type of authentication object is not an option. For W3C this is a big advantage that privacyIDEA can manage many different token type of different vendors at the same time. The lean REST API allows easy integration into their own user portal. W3C connected privacyIDEA to their existing user management. Users will be able to choose if they want to self-enroll Smartphone-Applications or U2F devices. Depending on the device type users gain access to resources of different security levels.

“Working with NetKnights is very effective. They provide just the right amount of consultancy for us to be able to implement the open source software privacyIDEA into our network and in our workflows.” said Ted Guild, Head of W3C Systems. Cornelius Kölbel, CEO at NetKnights, added: “W3C stands for Web standards. So we are very happy that W3C chose privacyIDEA, as this is an open solution, which complies to an open development workflow and open standards.”

About the World Wide Web Consortium (W3C)

The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C standards HTML5 and CSS are the foundational technologies upon which all Web sites are built. For its work to make online videos more accessible with captions and subtitles, W3C received a 2016 Emmy Award.

W3C’s vision for “One Web” brings together thousands of dedicated technologists representing more than 400 member organizations and dozens of industry sectors. Organizationally, W3C is jointly run by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China.

For more information see www.w3.org.

About NetKnights and privacyIDEA

NetKnights GmbH is located in Kassel, Germany. It is an independent IT Security firm, providing services and products in the fields of strong authentication, identity management and encryption. NetKnights employs the core developers of the modular authentication system privacyIDEA.

privacyIDEA is open source software and thus has not vendor defined end of life. Customers can own their privacyIDEA installation and use it without restrictions. NetKnights provides different subscription and support levels of privacyIDEA Enterprise Edition to meet the requirements of companies.

From October 10th-12th NetKnights presents privacyIDEA at the IT security fair it-sa in Nuremberg, Germany, at stand 10.1-208.

/by

privacyIDEA 2.19.1 on Univention Corporate Server

,

The Enterprise Version 2.19.1 of privacyIDEA is now available on the Univention Corporate Server. With version 2.19.1 privacyIDEA is now available on the Univention Corporate Server 4.2. Customers can easily upgrade from UCS 4.1 with privacyIDEA 2.18.1 to UCS 4.2 with privaccyIDEA 2.19.1.

Besides the improvements in Univention Corporate Server 4.2 privacyIDEA 2.19.1 also comes with interesting improvements. These are the generic user cache, which can reduce the authentication time dramatically. Using policies the administrator can define which U2F devices may be registered and used by the users. A Token Janitor allows the administrator to find orphaned tokens and either disable or delete these. We already blogged about the complete new features in privacyIDEA 2.19.

Service Level Agreement and Subscription

privacyIDEA4UCS can be installed on the Univention Corporate Server quickly and easily via the Univention App Center. You can find further details on privacyIDEA4UCS on the product page and also get a test subscription. The normal service level agreement for privacyIDEA also entitles the customer to use privacyIDEA on the Univention Corporate Server.

/by

NetKnights at IT Security Expo and Congress it-sa

,

This year NetKnights will be at the IT Security Expo and Congress “it-sa” together with the partners bytemine and Rempartec.  it-sa takes place once a year in Nuremberg, Germany in autumn. This year it is October 10th-12th 2017. During the last years up to 500 exhibitors presented new services and products in the field of IT Security. it-sa attracts over 10.000 visitors every year.

News about NetKnights and privacyIDEA

Use this chance to also get all news about NetKnights and privacyIDEA first hand! Learn more about privacyIDEA Enterprise Edition, the privacyIDEA Appliance or the privacyIDEA LDAP-Proxy.

Visit us in Hall 10.1, stand 208 – right accross from Cisco Systems or make up your personal date!

/by

privacyIDEA Enterprise Edition and Appliance

,

The privacyIDEA Enterprise Edition comes with new services and its own Enterprise-Repository. This Repository will contain Enterprise-Packages. These software packages will be released shortly after the main feature release as a kind of stable bug fixing release. E.g. after the main release 2.19 an additional enterprise version 2.19.1 will be released.

The Enterprise-Repository will only contain version 2.19.1, not the version 2.19. This way all software that can be installed from the Enterprise-Repository are stable enterprise releases. The customer can easily upgrade fom one enterprise release to the next enterprise release.

In addition the Enterprise-Repository also contains the new privacyIDEA appliance. We already blogged about it.

The Enterprise-Repository is available for Ubuntu 16.04LTS.

Howto use the Enterprise Repository

You need to create a file /etc/apt/sources.list.d/privacyidea-enterprise.list with the following contents:

deb https://yourname:yourpassword@lancelot.netknights.it/apt/stable xenial main

You as a customer will get your own credentials from NetKnights. Replace yourname and yourpassword with these credentials.

The software packages are signed. To verify the signature you need the public key:

wget https://lancelot.netknights.it/NetKnights-Release.asc

Verify the fingerprint (0940 4ABB EDB3 586D EDE4 AD22 00F7 0D62 AE25 0082) of the public key:

gpg --with-fingerprint NetKnights-Release.asc

Add the key to the keyring:

apt-key add NetKnights-Release.asc

Now you can update the package list and install the privacyIDEA Appliance:

apt update
apt install pi-appliance

Using the tool pi-manage you can create the first admin for the WebUI, create RADIUS clients and setup MySQL Master-Master-Replication.

Get your enterprise edition and your appliance!

 

Watch this video on YouTube.
/by

Enhanced services for privacyIDEA Enterprise Edition

The Open Source Multi Factor Authentication system privacyIDEA is used by many users. NetKnights provides consultancy and support in different kind of subscription levels. Customers now receive more services with the privacyIDEA Enterprise Edition. These will be available by end of June.

Additional, stable packages

With every release the privacyIDEA project releases installation packages for Ubuntu 14.04 LTS and 16.04 LTS on the Ubuntu Launchpad repository. NetKnights’ Support customers will get additional access to an enterprise repository. Those packages will be available a few weeks after the release of the project packages. The enterprise packages contain bug fixes of possible bugs that might have occurred after the official release. The enterprise repository allows customers to easily update to newer versions. Thus support customers have an easy possibility to automatically update to the latest stable version.

The enterprise packages will be available for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and CentOS 7.

Applicance functionalities

Within the enterprise repository customers will also find a tool, that provides several appliance functionalities. This way the administrator does not need to type in any commands to the command line interface and does not need edit any configuration files.

To allow for best robustness and avoid additional attack vectors, the appliance-tool goes without a web interface, a database and configuration file templates. This also allows still the experienced administrator to edit configuration files directly.

The appliance-tool helps the administrator with the usual configuration tasks…

The privacyIDEA appliance-tool covers the following topics:

  • Base configuration of the privacyIDEA service as used in the file pi.cfg,
  • manage administrative realms,
  • manage local token administrators,
  • configuring the RADIUS server and especially the RADIUS clients,
  • configuring the master master replication of the MySQL server,
  • automatic time based backups,
  • manual backups and restore,
  • automatic time based Audit log rotation.

…like configuring RADIUS clients

Using the privacyIDEA appliance-tool the administrator can quickly and reliably fullfil daily tasks.

…or define automatic time based backups.

What customers say

It’s not often that I find an open source package which is truly as well thought and polished as privacyIDEA.

John WhittenSenior Systems Administrator, Network Manager

Support from NetKnights is very good. I received actionable responses in reasonable turnaround times accompanied by code examples and patches when necessary.

Kurt BendlSenior System Analyst

Get in touch

You want to stay up to date? Subscribe to our newsletter!

You want to take a look at privacyIDEA? Register for a test instance!

You want to know more? Get in touch!

/by

privacyIDEA 2.19 – Performance, U2F and secure Smartphone Apps

,

Today we released privacyIDEA 2.19. Packages are available in the Launchpad-Repos for Ubuntu 14.04LTS and 16.04LTS. You can also install privacyIDEA on any Linux distribution using the python package index.

New Features in privacyIDEA

Authentication performance

privacyIDEA 2.19 is up to 72% faster!

In tests in the lab privacyIDEA 2.19 shows improved performance. Authentication requests are up to 72% faster than in the previous version. This is also due to a new generic user cache. This user cache stores the link between login name and user object in the local SQL database. Thus time consuming requests to the originial user store like LDAP servers or Active Directory get obsolete.

Filter U2F devices for the users

Using policies the administrator can define which type of U2F device the user is allowed to register. In further policies the administrator can also define, which U2F types the users can use to authenticate at certain applications. This way the usage of certain U2F devices can be denied in your company or certain devices from specific vendors can be required for login to sensitive systems.

Secure smartphone apps with privacyIDEA

The classical smartphone app enrollment comes with several problems, which privacyIDEA 2.19 can solve.

In a previous blog post we already pointed out the limitations of the usual smartphone enrollment with the Google Authenticator.  As a company or large organization you want to keep control over the enrollment processes of your users. Thus in version 2.19 of privacyIDEA a better rollout possibility was added. The smartphone and the privacyIDEA server do a mutual key generation. Both create a component, the secret key is generated from both components. This avoids easy copying of the QR-Codes.

Read more details in the privacyIDEA Blog.

More functions

Version 2.19 comes with further detail improvements like using the IP address or the browser user agent in the event handler framework. The date and timeformat was consolidated. Now the complete ISO date with timezone is saved to the database. This heavily eases working across timezones in international setups.

You may want to take a look at the complete Changelog.

Enterprise Edition and Consultancy

NetKnights provides consulting and support with the privacyIDEA Enterprise Edition. Using Open Source you optimize your total cost of ownership this way, that there are no external limitations which dictate how long or short your may use the software. Getting the privacyIDEA Enterprise Edition including an SLA you get the warranty and thus operating safety.

 

You want to stay tuned? Please subscribe to our newsletter!

You want to test the system yourself? Register for a test instance!

You want to know more? Get in touch!

/by