privacyIDEA 2.19 – U2F and Secure Smartphone Apps

We released privacyIDEA 2.19!

Need for Speed

privacyIDEA 2.19 is much faster, now.

privacyIDEA is used in quite some big setups. So in this release we also had the focus on speed! With different actions we were able to reduce the time needed for one authentication request by up to 72%! (According to our lab environment – other numbers may differ)

So how did we manage this?

Many setups run their users in an LDAP directory or Microsoft Active Directory. As privacyIDEA does not store users but only references to user objects in user directories, we need to find the user object, when a user enters a login name. Thus, during authentication some LDAP requests are involved to resolve the login name to this user reference. We manage to optimize our LDAP calls, which resulted in a speed up of 57% in comparison to privacyIDEA 2.18.

The User Cache

But still privacyIDEA has to query the LDAP server. There can be setups, where the connection to the LDAP server is rather slow, since it is located behind a VPN connection. So we added a user cache in privacyIDEA 2.19. The user cache stores the login name and reference to user object in the local SQL database. Thus, once a user is know, there is no need for a further LDAP call.

In our lab environment we measured a further speed up of 33%, if the user cache is used with LDAP users. This effect could be even better, if you are running a slow LDAP connection!

U2F

privacyIDEA can filter for certain U2F device types.

privacyIDEA comes with two new policies for enrollment and for authentication.

The administrator can define a regular expression to restrict the types of U2F devices, that may be enrolled or used for authentication. This way a company may restrict the usage of U2F devices to one of a specific vendor. Or certain resources may only be accessed with some special U2F devices.

Secure Smartphones Apps

To use the Smartphone as your authentication device is a very common scenario nowadays. Everyone is taking care for his smartphone and is carrying it along. But as stated in the NetKnights blog post, the enrollment process most of the time is not that secure. The Key URI in the QR Code introduced with the Google Authenticator and used by many smartphone apps out there, contains the secret key.

privacyIDEA comes with a new integrated mutual key enrollment which makes implementing smartphone apps with a secure key enrollment much simpler. The privacyIDEA server and the smartphone app both create one component. The actual key is generated from these two components. Thus the secret key can not be easily copied and shared between several smartphones.

Further enhancements

There are many other enhancements. The time format was improved by adding a timezone. Policies and Eventhandler had some improvements like being able to set the Client IP or the User Agent in the tokeninfo fields.

The full Changelog can be found here.