PassOnNoToken Option lets user in with any pass

righter · March 18, 2022, 9:25am

We have enabled the passonnotoken option because we thaught this could give us time to slowly migrate the user on TFA. We thaught that this option will check the user login, and bypass TFA if there is no token.
But the user can login with any password, so no only TFA will be skipped.

Is this a bug or a feature?
We are using PrivacyIdeay for VPN Login and we have not deployed ever Token to the users, is there another way to let the users login without TFA if they don’t have a token?

righter · March 18, 2022, 10:00am

I found a way.

I had to disable passonnotoken and use passthru instead to the userstore

cornelinux · March 19, 2022, 8:25am

See: 7.3. Authentication policies — privacyIDEA 3.6.2 documentation

“Will always be true” means exactly what you observed. So it works exactly as it is ment to work.