Results of privacyIDEA User Survey 1/2021

We had launched a survey about the satisfaction and experience with privacyIDEA. 95% of the respondents said they had gerneral experience with two-factor authentication. Most of them found privacyIDEA via Google, a quarter via recommendations from friends and acquaintances.

In most cases, privacyIDEA is used for VPN and web applications. The use for Single Sign-On like via Keycloak, SimplSAMLphp or ADFS is at about 40% but is catching up.

privacyIDEA is a true open source project. Planning and development is actively done on Github. Just over half of the respondents have either starred the Github repository, posted an issue, or even contributed code.

Documentation and plugins

We received individual feedback that the user could not easily and quickly find the information in documentation he was looking for. This is understandable for us, since privacyIDEA is a complex product that can be approached from many different angles. If you give us feedback on the documentation, please always let us know, what info you need and where you were looking for it. These details help us to understand how you are reading the docs and improve the documentation at the right place.

The privacyIDEA documentation contains a lot of information.

We have received feedback on the Keycloak plugin and the ADFS plugin. For the Keycloak plugin we are currently working on a new version. The ADFS plugin has been so far developed by a single developer in the community. We now started a new ADFS plugin in the privacyIDEA project, which will then seamlessly integrate like the plugins for Keycloak or simpleSAMLphp into the privacyIDEA universe.

Specifically, the flexibility and the many authentication possibilities of privacyIDEA were praised. We continue to expand these. The reason for this survey was the evaluation of biometrics via facial recognition or typing behavior and the consideration of whether to extend privacyIDEA with a corresponding token type.

Biometrics

The two biometric methods work the same in terms of the rough principle. During registration, biometric data is captured (face or typing behavior) as a mathematical representation; this mathematical representation is then stored in the cloud by the vendor of the method. privacyIDEA takes care of the assignment of the user to the corresponding data set within the vendor’s cloud service. So while privacyIDEA itself with the user assignment is running on premises, the mathematical representation would be stored outside of privacyIDEA.

Should privacyIDEA support cloud based face recognition?

Facial recognition or a typing token could be used in privacyIDEA self service portal when a user has lost his primary token.

When logging in to self service, to Keycloak or ADFS, a Javascript library would capture the data and compute a new mathematical representation. privacyIDEA would send this with an appropriate handle to the cloud service, which would check for equality with appropriate thresholds. Accordingly, privacyIDEA would grant access. Unfortunately, in order to protect their IP and monetize it, today’s vendors prefer to provide the verification service online.

The privacyIDEA users have a similar feeling like ourselves. 65% are pragmatically and see biometric authentication simply as an additional token type, that can be used or not. 40% even see it as a good extension.

However, some users also completely reject the support of biometrics.

Only just over 10% of the respondents would use such a biometric method for self-service login. The rest are undecided; just over half would not use it.

Even more interesting is the willingness to pay money for such a service. These biometric systems are offered as cloud services and are correspondingly expensive. 70% of the respondents would not spend money on a biometrics service. 25% of the respondents would be willing to spend an amount that would not cover the costs. Only 5% would possibly be willing to afford such a service.

Conclusion for Biometrics

Biometrics in the enterprise, centrally managed for its own infrastructure, seems to be a niche market. Many end users like to unlock smartphone with a finger or face. In this survey, nearly 2/3 of the respondents said they use biometrics on laptops or smartphones. But apparently it behaves differently with Single Sign-On or VPN.

Or is it simply the group of respondents? The people who participated in this survey are most likely the administrators and IT guys. We didn’t ask directly about the reasons, but you can guess from some of the answers. Sometimes it has been suggested that biometrics is considered too insecure. Definitely, the way biometrics is offered in the enterprise context, is seen by respondents as too expensive.

While we actually have a use case for biometrics, there might not be a market.

Start the discussion at community.privacyidea.org