Kassel 20.12.2022 – The IT security company NetKnights releases version 3.8 of the professional multi-factor authentication software privacyIDEA. The new version allows users to log on to Windows systems using the Yubikey as a smart card. A flexible rollout mechanism allows certain token types to be rolled out at the application itself, eliminating the need for the administrator to redirect users to the self-service portal for rollout. A new “preferred_client_mode” allows the user to save time during the login process due to a reasonable preselection by the administrator. The new version is now available via the Python Package Index and in the community repositories for Ubuntu 18.04, 20.04 and now also 22.04.
Support for smartcard login on Windows systems
Windows operating systems support logon with a smartcard logon certificate and smartcard for a long time. All the user has to do is remember the smartcard PIN and insert the smartcard when logging in. This eliminates the need for complex, constantly changing domain passwords.
However, a third-party system is always required to manage such smartcards in a Windows domain.
Therefore, starting with version 3.8, privacyIDEA now offers the possibility to use Yubikeys as smartcards for passwordless logon (two factors: smartcard and PIN) to Windows systems. For this purpose, the privacyIDEA server can now communicate with a domain-integrated Microsoft Active Directory Certificate Service and store the issued smartcard logon certificates to Yubikeys.
Rollout during authentication
Introducing multi-factor authentication in larger environments always brings the challenge of a sensible rollout process. privacyIDEA already offers many different options so that companies and organizations can optimize the rollout process to their needs.
With version 3.8 administrators now get a new, additional tool.
Using the challenge-response process, users can roll out their second factor right at the moment when they log in. This works completely transparently for the application to which the user logs on. The administrator can use policies to control whether a user must roll out a HOTP, TOTP, SMS, email or PUSH token. I n doing so, the user may have already authenticated with a possibly weaker second factor in the first step and now roll out a new, stronger second factor during login.
Since this happens at the application itself, it is not necessary to direct the user to the self-service portal.
SMS and email tokens can even be rolled out within standard applications like Citrix Netscaler. The privacyIDEA developers will transparently support the rollout of HOTP/TOTP tokens and PUSH tokens in all plugins that exist e.g. for ownCloud, Keycloak, ADFS.
Fast login, fast debugging, token groups
With version 3.8, the administrator can define a policy in privacyIDEA that transmits the preferred client mode to plugins. I f a user has several different tokens (e.g. email token, PUSH token, TOTP token), then the administrator can use this policy to define which login method the user should prefer to use. This way the user can save time as he does not have to select the login method during login.
The audit log in privacyIDEA records every API request to the system. Administrators and helpdesk staff can thus check the behavior of the system and find errors of the system or user errors. In the new version, privacyIDEA now also records the thread ID of the request. This makes it quick and easy to extract even more information about the request in question from the detailed log file.
In privacyIDEA 3.8, the administrator can now combine tokens into arbitrary groups. This is a basic function that the privacyIDEA developers plan to use in the future, for example to improve SSH key management or to simplify the management of offline tokens.
You can find all changes in detail in the changelog on GitHub. At Github, all components of privacyIDEA are also being further developed as open source software under AGPLv3 under the leadership of NetKnights GmbH.
Availability
The new version 3.8 of privacyIDEA is now available via the Python Package Index as well as in the community repositories for Ubuntu 18.04, 20.04 and 22.04. Additionally, NetKnights GmbH offers the Enterprise Edition with support for Ubuntu LTS, RHEL/CentOS and an appliance tool and performs custom development for special requirements.
About privacyIDEA
privacyIDEA is an open source multi-client and multi-instance capable system for multi-factor authentication. The development is done transparently at Github. The administrator can easily install or update the system via the Python Package Index or Ubuntu repositories. A few weeks after the community major version is released, NetKnights will also release a stable enterprise version for Ubuntu LTS and RHEL/CentOS.
You can get more informatino about development and news at the NetKnights Blog.