Authentication choose

mho · April 19, 2021, 6:16pm

Hello,
i’m testing PrivacyIdea 3.5,however i can’t see how to choose token, i explain.
i have a user usertest with 3 tokens: Push, TOTP, eMail.
i set no pin to Push and email.
If i test with /validate/check uri with user=usertest realm=realmtest and empty pass, i receive the push notification in my phone and if i wait without valided the push, i receive after push timeout the smtp message with the OTP.

I found that if i set different pin for email and push it’s working.
i would like to know, how to choose the token type in my request with same pin or empty pin.

and how to choose with radius plugin how to select toten type in request
i have User-Name = “usertest” user-password

thanks for your help.

mho · April 20, 2021, 8:04am

voila,
I understood that serial is the unique identifier and i know you can retrieve them by GET /token, but with radius can i get them with privacyIDEA-Serial Attribute request and/or can i use it to select token in radius request
thanks

laclaro · April 20, 2021, 3:02pm

Hello mho,

in privacyIDEA at the /validate/check endpoint, tokens are not selected by the user. Tokens are selected via PIN.

There are two exceptions however:

You can select a token as an admin user with /validate/triggerchallenge and serial
You can allow an application to select a tokentype by using the authorization policy tokentype
7.4. Authorization policies — privacyIDEA 3.5 documentation

The second option is to let your own portal application chose which tokentype to question in which context and especially with authentication policy otppin=userstore (pins won’t matter to differentiate).

Best regards,

Henning Hollermann

plettich · April 21, 2021, 8:44am

Actually You can pass the token serial to validate check. If a user parameter is also given, it checks if the token belongs to the user.

mho · April 21, 2021, 9:43am

Thanks a lot for your answers.

In my mind I was thinking that after logging into an app you have the MFA and the option to choose the type of method if I choose sms or emails I get a totp to enter to validate the connection without enter the PIN code | Password and if I choose Push, I receive a notification on my phone and if I choose totp, I enter the totp without PIN | Password.
If I understood correctly, the choice of the token is made with the PIN code | Password, I cannot validate the MFA without a PIN | Password.
The user must therefore know the PIN code | The password or an administrator must retrieve it by a triggerchallenge.

Using the FreeRadius plugin, what are our options if we don’t want the user to enter a PIN code | Password?

A solution via “Freeradius with the PrivacyIDEA Plugin” would be to put the same PIN code per type of token to all users with the restriction of not having 2 tokens of the same type per user.
So by entering the username + pin (static) we could choose the type of token and only allowing the FreeRadius to access “/validate/check EndPoint”.

What do you think about this configuration?
Thanks for your contributions