2FA on-site

Migrating 2FA
to a lasting solution

Texas Linuxfest, 2019 June 1st

Cornelius Kölbel

about me
  • Cornelius Kölbel
  • 1994 Linux
  • 2005 2FA
    • Smartcards / Aladdin eToken (eTokenOnLinux)
    • HSMs
  • 2014 privacyIDEA
contact me
  • cornelius.koelbel@netknights.it
  • @cornelinux
  • @privacyidea
  • Short Intro to 2FA (as I see it)
  • M&A in the security market
  • Introduction privacyIDEA
  • Migration
  • Look ahead

2FA Intro

I am from Kassel, Germany

meet Hercules!

Where are you? Where is your data?

You want secure access - you want 2FA!

What most people think, 2FA is:
What 2nd factors actually are:
  • Users will not stop by at the admin's desk!
  • Users are unknown and and spread around the world.
  • Users are not tech savvy.
  • My device is not supported.
  • Which solution and company should I trust?
Things to consider when doing 2FA
  1. Choose your technology
  2. Vendor independent
  3. Backup methods
  4. Easy to use
  5. Helpdesk processes
  6. Workflows
2FA is not only the hand held...
2FA is...
  • Infrastructure
  • Management
  • Workflows
This is why you need
a 2FA management and authentication system
In the past
hardware vendors provided such systems for their (proprietary) hardware

Mergers and Acquisitions


If your 2FA system looks too good, ...

... it will fail!

Example 1
Example 2
Problem with proprietary software and EOL
  • You buy user licenses
  • End of sales: you can not buy new licenses, even if system is running
  • Look out for a new system and migrate!
Migration scenarios
  • Migrate to my cloud service
    (where you can not migrate away from!)
  • Migrate to my new onprem service
    (which costs up to 10 times of the old software)
  • Migrate to privacyIDEA!

Introduction to privacyIDEA

Network structure – where is privacyIDEA located?
History of privacyIDEA
  • started in 2005/2006 with the Aladdin eToken NG
  • RFC4226 – a standard
  • predecessor in 2010
  • privacyIDEA fork in 2014
  • event handlers in 2016
  • won 2 OSS awards in Germany in 2016
Let's check the requirements
Choose your technology
  • Supported authentication methods: HOTP/TOTP (including Key Fob and Smartphone Apps), PUSH, Yubikey, U2F, Email, SMS, OCRA, TiQR, SSH pub keys, x509, Paper, Questionnaire, 4-Eyes, Vasco, Registration... (TODO: Smartcards, FIDO2/WebAuthN)
  • Written in Python
    Token types are inherited from the base class
    Some token types are just a matter of a few lines of code.
  • → easy enhancements without change of:
    • ...the installation
    • workflows or
    • code base. (no need for migration)
  • Future proof
    From a technology standpoint.
Choose your technology
Vendor independent
  • Open Source (AGPLv3)
  • hosted at Github: https://github.com/privacyidea
    • Clone! Star! Fork!
  • does not bind to one authentication method of one (hardware) vendor (mix and match!)
  • Transparent and independent
  • Beware the mergers and akquisitions!
Backup methods
  • No personal backup
  • One user many tokens.
  • Either assign himself, by the helpdesk or automatically.
  • Lost Token scenario
Backup methods
Easy to use
  • UI that only allows the configured actions.
  • Token wizard.
    • → build your own web integration
    • Complete API documentation at readthedocs
Helpdesk (processes)
  • Policy framework
    • define behaviour and response of privacyIDEA.
    • Scopes: admin, user, auth, authz, enrollment...
    • Work on the API level
    • based on users and ldap groups
It is all about automation of tedious tasks!
  • Database level
  • Library calls
  • Event Handler
Workflows - library calls
  • Python libs for all tasks.
  • No webserver running, no load.
  • → external scripts like token-janitor...
Workflows - API calls

POST /validate/check
POST /token/init
GET /token/
DELETE /token/OATH12344
Workflows with Event Handler in privacyIDEA
Fun fact: We developed it, but we do not know what for!
What are Event handlers
  • Additional actions can be attached to each reqeust
  • Pre or Post request
  • ...with certain conditions
Event handler classes
  • Notification, Token, Federation, Counter, Script
  • Each class comes with it's defined actions
    send email, send sms, enroll token, set token info, reset failcounter, set counters, run arbitrary scripts, forword to other privacyIDEA machine...
  • small code changes => big chances
    counter (100 sloc), token (350 sloc)
Some handler examples
Notify the user in case of admin action
  • handler: Notification
  • event: /token/init
  • position: post
  • condition: user is an admin
  • action: send email to token owner
Mark tokens as being enrolled
  • handler: TokenHandler
  • event: /token/init
  • position: post
  • condition: user is an admin
  • action: set tokeninfo / arbitrary field
  • alternative action: disable token
Reset timeshift of a TOTP token in case of successful authentication
  • handler: TokenHandler
  • event: /validate/check
  • position: post
  • condition: successful auth
  • action: set tokeninfo / timeshift
Count failed authentications
  • handler: CounterHandler
  • event: /validate/check
  • position: post
  • condition: failed authentication
  • action: increase counter
Print welcome letters
  • handler: ScriptHandler
  • event: /token/init
  • position: post
  • condition: administrator / helpdesk user enrolled token
  • action: call a script, that prints a welcome letter
Create registration token, if the last token of a user is deleted
  • handler: TokenHandler
  • event: DEL /token
  • position: post
  • condition: number of user tokens "0"
  • action: enroll registration token
Enroll a token, if the user has none
  • handler: TokenHandler
  • event: /validate/check
  • position: pre
  • condition: number of user tokens "0"
  • action: enroll email token


Possible Migration scenarios
  • via RADIUS
  • via data migration (import seeds)
  • via privacyIDEA passthru policy
privacyIDEA talks to RADIUS
  • define (old) RADIUS server
privacyIDEA policy
  • forward authentication request to old radius
migrating to privacyIDEA
  • No need to hurry
  • Users can keep their old tokens
  • Mix and match
    500 old + 10 new
  • One central audit log
    since all auth requests routed in privacyIDEA

Look ahead

Development continues at github
Development continues
    • Migrate PIN
    • Arbitrary user attributes in policies
    • Better support logging to logstash etc.
    • WebAuthN
    • Central notification system and privacyIDEA news (idea!)
    • Smartcard support - start with Yubikey.

Thank you!

Star, clone and pull request