We are using privacyIDEA REST API from out identity provider application to add MFA flow on login.
Our requirement is to authenticate user’s credentials after verifying OTP. User info and credentials exist in our existing system so we are using http resolver for this need.
Questions:
Does privacyIDEA support checking user’s device or computer and remember it? And enforce OTP only if user is logging from other device?
Certain API like /validate/check to generate OTP or validate OTP are open endpoints. Is it by design? Does it not need to be secured as well?
Thanks @cornelinux for clarifications.
Regarding 1st point - Is it usual to use some other tool then with PrivacyIdea to support the OTP flow based on conditions?
Regarding 2nd point -
In my flow, I only created a http resolver with an endpoint that returns email address of a user. And created a token, which calls the http resolver (the user info endpoint) multiple times (not sure why, but thats a separate question). Further, when I call /validate/check, it triggers email as expected, but I was seeing if this endpoint can be secured, so that no one can call this endpoint without authentication/authorization as this can trigger emails to real users. Only option I see here from security perspective is a PIN. Do we generally user’s password as PIN here?
If this endpoint can be further secured, how can it be done with privacyIDEA so that no one access this API to generate and send OTP?