We had launched a survey about the satisfaction and experience with privacyIDEA. 95% of the respondents said they had gerneral experience with two-factor authentication. Most of them found privacyIDEA via Google, a quarter via recommendations from friends and acquaintances.

In most cases, privacyIDEA is used for VPN and web applications. The use for Single Sign-On like via Keycloak, SimplSAMLphp or ADFS is at about 40% but is catching up.

privacyIDEA is a true open source project. Planning and development is actively done on Github. Just over half of the respondents have either starred the Github repository, posted an issue, or even contributed code.

Documentation and plugins

We received individual feedback that the user could not easily and quickly find the information in documentation he was looking for. This is understandable for us, since privacyIDEA is a complex product that can be approached from many different angles. If you give us feedback on the documentation, please always let us know, what info you need and where you were looking for it. These details help us to understand how you are reading the docs and improve the documentation at the right place.

We have received feedback on the Keycloak plugin and the ADFS plugin. For the Keycloak plugin we are currently working on a new version. The ADFS plugin has been so far developed by a single developer in the community. We now started a new ADFS plugin in the privacyIDEA project, which will then seamlessly integrate like the plugins for Keycloak or simpleSAMLphp into the privacyIDEA universe.

Specifically, the flexibility and the many authentication possibilities of privacyIDEA were praised. We continue to expand these. The reason for this survey was the evaluation of biometrics via facial recognition or typing behavior and the consideration of whether to extend privacyIDEA with a corresponding token type.

Biometrics

The two biometric methods work the same in terms of the rough principle. During registration, biometric data is captured (face or typing behavior) as a mathematical representation; this mathematical representation is then stored in the cloud by the vendor of the method. privacyIDEA takes care of the assignment of the user to the corresponding data set within the vendor’s cloud service. So while privacyIDEA itself with the user assignment is running on premises, the mathematical representation would be stored outside of privacyIDEA.

Facial recognition or a typing token could be used in privacyIDEA self service portal when a user has lost his primary token.

When logging in to self service, to Keycloak or ADFS, a Javascript library would capture the data and compute a new mathematical representation. privacyIDEA would send this with an appropriate handle to the cloud service, which would check for equality with appropriate thresholds. Accordingly, privacyIDEA would grant access. Unfortunately, in order to protect their IP and monetize it, today’s vendors prefer to provide the verification service online.

The privacyIDEA users have a similar feeling like ourselves. 65% are pragmatically and see biometric authentication simply as an additional token type, that can be used or not. 40% even see it as a good extension.

However, some users also completely reject the support of biometrics.

Only just over 10% of the respondents would use such a biometric method for self-service login. The rest are undecided; just over half would not use it.

Even more interesting is the willingness to pay money for such a service. These biometric systems are offered as cloud services and are correspondingly expensive. 70% of the respondents would not spend money on a biometrics service. 25% of the respondents would be willing to spend an amount that would not cover the costs. Only 5% would possibly be willing to afford such a service.

Conclusion for Biometrics

Biometrics in the enterprise, centrally managed for its own infrastructure, seems to be a niche market. Many end users like to unlock smartphone with a finger or face. In this survey, nearly 2/3 of the respondents said they use biometrics on laptops or smartphones. But apparently it behaves differently with Single Sign-On or VPN.

Or is it simply the group of respondents? The people who participated in this survey are most likely the administrators and IT guys. We didn’t ask directly about the reasons, but you can guess from some of the answers. Sometimes it has been suggested that biometrics is considered too insecure. Definitely, the way biometrics is offered in the enterprise context, is seen by respondents as too expensive.

While we actually have a use case for biometrics, there might not be a market.

We will try to give an overview of the answers and we will even try harder to deduce some results and todos from these data. A former math teacher of mine kept pointing out: “Do not trust any statistics, which you did not fake yourself”. And you can always see, that statistics data can be interpreted the one way, or the other. …well, lets take a look.

How do people know about privacyIDEA?

50% learnt about privacyIDEA, using Google. This might mean, that we should go on talking

about privacyIDEA, having portals and newspapers talking about privacyIDEA and also attend conferences to talk about privacyIDEA. Yes – we will attend the LinuxFest NorthWest and the Grazer Linuxtage in April.

29% were told by a colleage or friend about privacyIDEA. Once a user has his first contact with privacyIDEA, we very much need to take care, that he likes privacyIDEA and that he will also talk about it to his friends. And thankfully a lot of users, would recommend privacyIDEA to their friends.

Of course, the best way to achieve this, is that we listen to you – the users. So if you have anything to tell us, please join the community forum or open an issue at Github!

In which scenario is privacyIDEA used?

We also asked, for which scenario privacyIDEA is used. In most cases it is used with VPNs and Web applications. No wonder, since it also works well in these scenarios. We know, that we might need to improve the Windows Logon – only 14% used it in this case, but we think there is a bigger need for a secure Windows Logon with privacyIDEA. So NetKnights will be working on improving the privacyIDEA Credential Provider.

The community

43% do not use community.privacyidea.org. Why would that be? Tell us or use it.

Satisfaction

On a scale from 1 to 5 the overal satisfaction level is an average of 4.3 which we are very proud of. I think one reason might be, that we always try to improve privacyIDEA. But this is not the sign for us to rest on our oars. We see it as your expectation: We need to keep up the responsiveness, new ideas and features and regular releases. Thank you – we heart you!

Statistics

We also ran the survey to get an idea what you think about our next feature idea to improve the monitoring and statistics.

REST API

We interpret the results that it is more important to you that you can fetch statistics data via the REST API. Well, as privacyIDEA is a REST system, we would probably implement such a REST API, anyways. But it tells us, that we might go slower on the SNMP topic.

No RAM or CPU

Once, one public tender requested, that an OTP system should provide information about RAM and CPU. Of course it might be interesting to know such data of any system – but why have it in the token management? You also confirmed, that RAM and CPU are not necessary at this level:

Time graphs or snapshots

We also asked how importand are time series of certain measurments like “authentications per second” and important are snapshot data. Well – I do not really know, what looks more important:

This is why we plan to provide a complete flexible statistics module in the next privacyIDEA release. We are discussing and gathering idea as usual on GIthub. We have a special label for the statistics and several issues to cover this topic. If you want to participate and influence the privacyIDEA development even further than via the user survey, feel free to join the discussion at Github!

…and don’t forget to stop by at the community forum!