How do I get the OTP code sent by sms?

cartenca · March 22, 2020, 11:48am

Is it possible to get, with an API, the OTP code sends to user by the triggerchallenge above?
I have to use the OTP code to encrypt a file so that the user can decrypt it with the same OTP code sent to him by privacyidea.
Thank you very much!

Carlo

cornelinux · March 22, 2020, 3:41pm

Welcome to the privacyIDEA community.
Encrypting a file with a 6 or 8 digit number is not really very safe! Very prone to brute force attacks.

How often do you need to send such “encrpytion” key via SMS?
A more sensible way would be to use a registration token or a pw token, which provide more entropy.

You can easily send a 24 character registration code via SMS, when e.g. an administrative accounts creates this registration token.

cartenca · March 22, 2020, 5:33pm

I try to be more precise.
I use EASYSIGN.COM’s API to send a document to be signed digitally.
When I send the document to EasySign’s API, I can also send a 4 character’s code to be insert by signer to grant access to the document for signing.
If I could post this code to EasySign’s API (and so I have to know this OTP code) and to SMS by user’s Privacyidea token, I could log also this operation in PrivacyIdea’s “Audit” and so I have only one log to storage all my Security operations.

Thank you for your help.
Carlo

cartenca · March 22, 2020, 5:55pm

An idea…
Could I use others tags instead of {otp} (or {phone}) in SMS gateway?
If I can use {signature} or {transaction_id} for example, I’ll use the first 4 numbers as code…
Is it possible?

Thanks
Carlo

cornelinux · March 22, 2020, 8:01pm

I was asking how often you actually send an encrypted document.
Do you only send such a document once to a user or do you send several documents, again and again to a user?

If you would send it only once you could create as before mentioned a registration code.
Instead of using an SMS token to send an SMS to the user, you could use the notification handlers:
https://privacyidea.readthedocs.io/en/latest/eventhandler/usernotification.html

The notification handler supports a long list of tags:
https://privacyidea.readthedocs.io/en/latest/eventhandler/usernotification.html#body-for-all-actions

You have an interesting scenario, but it is difficult to discuss this way. Read through the event handlers. Maybe you get an idea, how these could help you.