OTP Authentication Mangling

badalyanrazmik @pixabay
by badalyanrazmik @pixabay

privacyIDEA provides the possibility to verify credentials that arrive via a REST API. You can attach arbitrary applications to privacyIDEA. But this could also result in arbitrary data being sent. This is why we just pushed a new feature for the next release 2.5 of privacyIDEA.

Authentication Data Mangling

Just like many other features this can be configured flexibly via an authentication policy. The Authentication Data Mangling allows you to modify incoming authentication data, before these data are processed by privacyIDEA. Thus you can modify the username, the password or the realm sent in the authentication request.

Imagine a system, that sends malformed usernames. You can strip all whitespaces or only use a certain part of the sent username to find the user within privacyIDEA. You can use regular expressions to transform the sent username into a the username to be found in privacyIDEA.

You can also do funny things by modifying the password. A policy action like:

mangle=pass/.*(.{6})$/otppin\1/

will only use the last 6 characters of the sent password (probably the OTP value) and put the fixed string “otppin” in front of it. Ok – no matter which OTP PIN the user enters, the authentication request will always use “otppin”.

Or you could change the order of OTP PIN and OTP values like this:

mangle=pass/(.*)(.{6})$/\2\1/

As you can also define these mangling-policies for certain clients, you can define – for which reason ever – clients where the <OTP PIN>+<OTP Value> are to be entered and other clients with <OTP value>+<OTP PIN>.

Authentication Data Mangling seems a mighty and flexible feature to me. I can not see all possible use cases, yet. So tell us what you think!

 

 

Leave a comment