We had launched a survey about the satisfaction and experience with privacyIDEA. 95% of the respondents said they had gerneral experience with two-factor authentication. Most of them found privacyIDEA via Google, a quarter via recommendations from friends and acquaintances.

In most cases, privacyIDEA is used for VPN and web applications. The use for Single Sign-On like via Keycloak, SimplSAMLphp or ADFS is at about 40% but is catching up.

privacyIDEA is a true open source project. Planning and development is actively done on Github. Just over half of the respondents have either starred the Github repository, posted an issue, or even contributed code.

Documentation and plugins

We received individual feedback that the user could not easily and quickly find the information in documentation he was looking for. This is understandable for us, since privacyIDEA is a complex product that can be approached from many different angles. If you give us feedback on the documentation, please always let us know, what info you need and where you were looking for it. These details help us to understand how you are reading the docs and improve the documentation at the right place.

We have received feedback on the Keycloak plugin and the ADFS plugin. For the Keycloak plugin we are currently working on a new version. The ADFS plugin has been so far developed by a single developer in the community. We now started a new ADFS plugin in the privacyIDEA project, which will then seamlessly integrate like the plugins for Keycloak or simpleSAMLphp into the privacyIDEA universe.

Specifically, the flexibility and the many authentication possibilities of privacyIDEA were praised. We continue to expand these. The reason for this survey was the evaluation of biometrics via facial recognition or typing behavior and the consideration of whether to extend privacyIDEA with a corresponding token type.

Biometrics

The two biometric methods work the same in terms of the rough principle. During registration, biometric data is captured (face or typing behavior) as a mathematical representation; this mathematical representation is then stored in the cloud by the vendor of the method. privacyIDEA takes care of the assignment of the user to the corresponding data set within the vendor’s cloud service. So while privacyIDEA itself with the user assignment is running on premises, the mathematical representation would be stored outside of privacyIDEA.

Facial recognition or a typing token could be used in privacyIDEA self service portal when a user has lost his primary token.

When logging in to self service, to Keycloak or ADFS, a Javascript library would capture the data and compute a new mathematical representation. privacyIDEA would send this with an appropriate handle to the cloud service, which would check for equality with appropriate thresholds. Accordingly, privacyIDEA would grant access. Unfortunately, in order to protect their IP and monetize it, today’s vendors prefer to provide the verification service online.

The privacyIDEA users have a similar feeling like ourselves. 65% are pragmatically and see biometric authentication simply as an additional token type, that can be used or not. 40% even see it as a good extension.

However, some users also completely reject the support of biometrics.

Only just over 10% of the respondents would use such a biometric method for self-service login. The rest are undecided; just over half would not use it.

Even more interesting is the willingness to pay money for such a service. These biometric systems are offered as cloud services and are correspondingly expensive. 70% of the respondents would not spend money on a biometrics service. 25% of the respondents would be willing to spend an amount that would not cover the costs. Only 5% would possibly be willing to afford such a service.

Conclusion for Biometrics

Biometrics in the enterprise, centrally managed for its own infrastructure, seems to be a niche market. Many end users like to unlock smartphone with a finger or face. In this survey, nearly 2/3 of the respondents said they use biometrics on laptops or smartphones. But apparently it behaves differently with Single Sign-On or VPN.

Or is it simply the group of respondents? The people who participated in this survey are most likely the administrators and IT guys. We didn’t ask directly about the reasons, but you can guess from some of the answers. Sometimes it has been suggested that biometrics is considered too insecure. Definitely, the way biometrics is offered in the enterprise context, is seen by respondents as too expensive.

While we actually have a use case for biometrics, there might not be a market.

But after several month of research stackoverflow came up with a what we think easy to use and reliable biometric authentication mechanism. This is why in version 3 of privacyIDEA we plan to introduce the first biometric token based on the dance dance authentication protocol.

You can rely on that the privacyIDEA team is working on the bleeding edge to provide you with the greatest and safest authentication mechanisms.

privacyIDEA. Realiable, trustworthy and fun to use!

I published a short article about the history of strong authentication during the last 33 years – starting with Admiral James T. Kirk accessing the Genesis project data with a retina scan.

Well, personally I am really not convince to use biometrics for authentication. Have you ever tried to revoke your biometrics? Bad idea.

Thus biometrics are better used to monitor your movements till your death than to authentication to a computer system!

You should use privacyIDEA!

This is the blog post on the Univention blog (German!).

Update: (May 03) It is also available in english.

Scientist from Pune in India have an interesting idea to use one time passwords to withdraw money from the ATM machine. Bad enough, the one time password is to be sent via SMS. I understand it. Banks are great in saving money. A bank does not want to give ATM cards to the customers, as those cards cost money. Well, sending an SMS also costs money, but the bank could request a fee from the customer each time the customer withdraws money. This fee can directly be used to cover the costs for the SMS.

The next interesting thing is, that the customer should authenticate at the ATM with his fingerprint. Perfect: The bank does not have to enroll anything to the customer.

The customer will bring his own mobile phone and tell the bank the phone number.

If the customer wants to use ATMs, the customer will also register at the bank and give his fingerprints to the bank. Not speaking of how secure fingerprints really are. If the mobile phone is lost or stolen, attackers will also get the fingerprint [1], [2]. So this idea is merely a one-factor-authentication: The possession of the phone!

Besides – Finally everbody gets the customers fingerprints: the state for the ID cards, the bank for withdrawing money – who is next?

Such an authentication scheme will not increase security, it will only help the bank – to save money.

Many people are thinking of biometrics when talking of next level authentication. I don’t see it that way. privacyIDEA tries to avoid compromising your personal identity and anyhow provide you with a secure multi factor authentication solution.

Keep your fingers to yourself!