Two Factor Authentication

... everywhere
Cornelius Kölbel, Ohio Linux Fest, Nov 2nd 2019
  • About me
    So you know, what you can ask me.
  • Demystifying 2FA
    ... or rather mystifying it?
  • privacyIDEA
    one system to rule them all!
  • Integration with any application
    2FA is a matter of communication!

About me

...since 2005


  • Reseller: eToken (NG OTP), Smartcards, PKI, HSMs
  • Strong authentication, Encryption, Full HDD Enc
  • PKI


  • Vendors: FreeRADIUS-Plugin (LinOTP) for eToken NG OTP

2009, 04/2010

  • Vendor / Product Management:Enterprise ready Open-Core Software (LinOTP2) for eToken NG OTP and others (Note: No Google Authenticator at that time!)


  • Google misuses the HOTP algorithm for its Authenticator

2010 - 2013

  • Vendor Deploy more mechanisms
    • Smartphone with Authenticator :-/
    • SMS OTP! :-/
    • OCRA (does not lift up)
    • TiQR
    • U2F? Ah - no!


  • "Vendor"
    • Own Open Source strategy → Fork to privacyIDEA
    • Rewrite for more modern technologies like Flask, AngularJS, Bootstrap
    • Founded company to provides services and support

since then: privacyIDEA

  • The factor is free to choose
  • Important aspects are:
    • Integration in to your processes
    • User acceptance
    • Sustainability (Don't go EOL)
    • Costs - not only "licenses" but also internal costs.

Successful 2FA is a matter of smooth workflows.

Two Factor Authentication

  • How are you doing 2FA?
  • ... as an end user, admin, in your company...?
What people thing, what 2FA is ...
  • Two Factor
  • Two Way
Two Factor - can be the same way

Something you..

  • ... know,
  • ... have,
  • ... are.
What in fact is two factor authentication:

What is no 2FA...?

Two Passwords (Password and "PIN")

Two Apps on one Smartphone (boils down to one "possession")

Classical possession

Smartcard, Credit Card, OTP-Token, SSH-Key
  • Can not be "guessed"
  • Can not be brute forced
  • Need to "steel" it
  • cryptographic key material (symmetric, asymmetric)
  • Quality level: protect the key material (no copy)!

Quiz about 2FA...

What is no "possession"?

(Mind the cryptographic component)

SMS / text message

What uses an HMAC based message authentication code (HMAC)?

HOTP, TOTP (RFC 4226, 6238) - with a symmetric key

What uses asymmetric crypto like RSA or ECC?

Smartcards, U2F, FIDO2

What uses strong, non broken HASH algorithms?


What uses proprietary algorithms?


2FA is more than one 2nd factor

Organizational challenges

Enrollment problems

read the blog post.

Problem: Users are not tech-savvy

Problem: My device is not supported!

Problem: Which vendor should I trust?

Problem: Backup - not only your single device, but all tokens of your company!

Problem: (Helpdesk) processes

2FA is more. It means...
  • Infrastructure
  • Management
  • Workflows

2FA needs a
2FA Management and Authentication System

  • This is why proprietary vendors sold licenses for cra*** software.
  • This is why they now bill high fees for cloud services.

Your application

Should do no 2FA itself! (Word*****, Next*****, Free***, Key*****)

privacyIDEA Authentication System

privacyIDEA is not...

  • an identity management system,
  • a VPN,
  • a firewall,
  • ...
...but a token management system and authentication server for two factor authentication.

Software Stack

  • Python Application (Flask) (2.7 - 3.7)
  • Apache2 or NGinX
  • SQL database (SQLAlchemy): MySQL/MariaDB, PostgreSQL, Oracle...


Read access (write possible) on
  • LDAP
  • SQL
  • Flatfile
  • SCIM
...mix and match as needed (read realm concept).

token types

hardware, software and virtual tokens:
  • Hardware: Key fob, OTP cards, Yubikey, Nitrokey, U2F
  • Software: Smartphone apps, PUSH token, x509 certificate, SSH key, paper/ TAN, questionaire, register, password...
  • Virtual: Forward/remote, RADIUS, 4-eyes


determine the behaviour of the system. Possible Scopes:

  • Admin / User
  • Authentication
  • Authorization
  • Enrollment
  • WebUI
  • Register

Policies depend on:

  • users
  • arbitrary user attributes
  • arbitrary HTTP headers
  • administrators
  • time
  • client IP

event handlers

can trigger additional actions. Event handler modules:
  • Notification
  • Token
  • Script
  • Counter
  • Federation
  • Request Mangler
  • Response Mangler
  • Notification File Writer

This way you get better (automated) and more flexible workflows.

recurring tasks

  • count events
  • create statistics

Integrate 2FA with your application!

Everything is fine...

if your application already provides standard protocols
  • PAM → pam_radius, pam_python/privacyidea
  • SAML2 → simpleSAMLphp, Keycloak, ADFS
  • OpenID Connect → Keycloak
What we want to do alternatively
Integrated e.g. with:
  • Wordpess
  • TYPO 3
  • Django
  • Keycloak
  • simpleSAMLphp
  • ownCloud
  • FreeRADIUS
  • benno mail archive
  • ...

The green plugin in your application:

  • decent authentication stack
  • ability to write plugins

credetials need to be sent to privacyIDEA, how?

The privacyIDEA REST API

There is nothing but the API.
Issue a simple HTTP request with the credentials

                    POST /validate/check HTTP/1.1
                    Accept: application/json

Read the JSON response

                        HTTP/1.1 200 OK
                        Content-Type: application/json
                           "detail": {
                             "message": "matching 1 tokens",
                             "serial": "HOTP0000AB00",
                             "type": "hotp"
                           "id": 1,
                           "jsonrpc": "2.0",
                           "result": {
                             "status": true,
                             "value": true
                           "version": "3.1.1"
Example REST: pam_python

                        headers = {'user-agent': 'PAM/2.15.0'}                        
                        response = + endpoint,

                        json_response = response.json
                        if callable(json_response):
                            syslog.syslog(syslog.LOG_DEBUG, "requests > 1.0")
                            json_response = json_response()
                        return json_response

305 sloc Python - but it has offline functionality
Example REST: simpleSAMLphp

                        $body = sspmod_privacyidea_Auth_utils::curl($params,
                                    null, $this->serverconfig,
                                    "/validate/samlcheck", "POST");
                        try {
                            $result = $body->result;
                            $detailAttributes = $body->detail;
                            SimpleSAML_Logger::debug("privacyidea result:" . print_r($result, True));
                            $status = $result->status;
                            $value = $result->value->auth;
                        } catch (Exception $e) {
                            throw new SimpleSAML_Error_BadRequest("We were not able to read the response from the privacyidea server.");

800 sloc PHP - but it has a lot of glue, two modes and enrollment features.
Example REST: Keycloak

                        JsonObject body = _endpoint.sendRequest(ENDPOINT_VALIDATE_CHECK, params, false, POST);
                        try {
                            JsonObject result = body.getJsonObject(JSON_KEY_RESULT);
                            return result.getBoolean(JSON_KEY_VALUE);
                        } catch (Exception e) {
                            _log.error("Verification was not successful: Invalid response from privacyIDEA");

646 sloc Java - but it has glue and enrollment features.
Example stdin: benno mail archive

if not result.get("value"):
    syslog.syslog(syslog.LOG_INFO, "Failed authentication")
    print("ERROR ERR_AUTH")
    # successful authentication
    syslog.syslog(syslog.LOG_INFO, "Authentication successful")
    user = detail.get("user")
    syslog.syslog(syslog.LOG_INFO, "user received")
    out = RESPONSE.format(role="USER",
                          displayname=u"{0} {1}".format(user.get("givenname"),

SLOC 52 Python.

Endpoints everywhere

  • /auth
  • System management, Policies, Events... all configuration
  • Token management for users and admins.
  • Auditlog and statistics

Thank you!