Passthru to userstore

I have enabled passthru=userstore along with privacyIDEA as the GUI auth source. Registered users use [password][code] and it works great. Onboarding users just use [password], and also great.

The docs say that passthru will kick in only when the user has no tokens defined. I’m wondering if this should really be “has no ACTIVE tokens defined” and thus is a bug? I had wanted to confirm the passthru, so I (as active user) disabled all my current tokens expecting that would be sufficient. It wasn’t. As currently implemented, there must be no tokens at all. Not the end of the world, but wondering if this was intentional?

Hello and welcome to privacyIDEA. You will have a great time with 2FA :slight_smile:

No. Works as intended and like documented. Isn’t this great?!

Yes. The passthru is orginally intended for rollout scenarios. When a user has no token at all. It there has be a token assigned to the user, this mean that the user is supposed to login with two factors. This intention does not change if and administrator or a user would disable a token (User thinks: Oh, I do not want to use the token anymore.)

Imagine a user loosing or displacing a token. Then the user or a helpdesk admin would disable his token. The helpdesk would disable his token, so that the token can not be misused. But then the user would be able to login without a 2nd factor. This would be a great attack vector. Steeling the users token or making him dispace it, and I as an attacker only have to overcome the password.

What do you actually want to achieve?

Not really trying to achieve anything. As I said, was just re-verifying the passthru but I already had tokens that I didn’t want to delete and was assuming that disablement would get me there.

So I’m guessing you treat the on-boarding situation as a short-term event and recommend disabling the passthru once most people are well-established? How do you handle the temporarily lost U2F token? Helpdesk disables it, but as we now know, this means the user cannot login to PI with passthru since it doesn’t work that way. Is it best practice for the helpdesk to assign a PPR/TAN or email C-R just to get them back up and running?

Answering my own question: Registration token.

1 Like

You have a lot of possibilities, you can use the registration token type for several workflows.
There is a standard workflow for lost tokens.

Yes, bascially you are right.