[Freeipa-users] Valid Sender ? - Re: Using Privacyidea with FreeIPA - part 1/n
Cornelius Kölbel
cornelius.koelbel at netknights.it
Fri Dec 30 07:24:31 UTC 2016
...by the way. This is probably the reason, why Red Hat uses the
predecessor of privacyIDEA as central 2FA authentication system for the OTP
authentication.
Kind regards
Cornelius
Am Freitag, 30. Dezember 2016 08:21:36 UTC+1 schrieb Cornelius Kölbel:
>
> Hi Jochen,
>
> this is a very important point.
> Every application is adopting two factor authentication with OTP. This is
> great - we always hoped for such a security awareness.
> But the important difference is:
> The common webapplication that finally will implement TOTP ("this cloudy
> algorithm which was invented by the Google Authenticator" ;-) ) manages the
> seeds/keys for these tokens. If the user uses a smartphone app the user
> will end up with an "OTP token" or "profile" in his App for every
> application.
>
> Or he has to share the seeds one seed between all applications. And then
> he runs into the troubles mentioned earlier.
>
> You perfectly pointed out, why you need a central authentication system
> for managing the second factors.
> From a user experience point fo view the applications could also go for
> U2F. Then the user again will only have one device, which he needs tor
> register with each application...
> ...but there will be no "syncing" problem.
>
> Kind regards
> Cornelius
>
>
> Am Donnerstag, 29. Dezember 2016 20:45:34 UTC+1 schrieb Jochen Hein:
>>
>> Martin Basti <m...i at redhat.com <mbasti at redhat.com>> writes:
>>
>>
>> >> But providing access to a Yubico Token via privacyidea works for
>> all
>> >> cases I have in mind.
>> >
>> > How they are checking the valid tokes if they don't use its counter?
>>
>> Privacyidea is the "owner" of the token and has the secret and the
>> counter stored. Every other system (e.g. pam_yubico or FreeIPA) is
>> checking the validation against privacyiadea, either with the yubico
>> protocol, the privacyidey validation, or RADIUS.
>>
>> Does this clarify the architecture of my system?
>>
>> Jochen
>>
>> --
>> The only problem with troubleshooting is that the trouble shoots back.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161229/36089e78/attachment.htm>
More information about the Freeipa-users
mailing list