Push + TOTP question

Voxxie · November 26, 2019, 8:54pm

Hi all,

I am building a Proof-of-concept with privacyidea to see of we can use it in our environment.
We want for our end user to use the following authentication methods:
Password + Push notification or TOTP (without pin)

But we cant get it to work.
If we set the otppin policy to userstore, the push works and the TOTP isn working.
But if we sent the otpping policy to tokenpin the TOTP works but the push notication isn’t working anymore.

Kind regards,

Hans Vos

cornelinux · November 26, 2019, 9:53pm

Hello Hans,

welcome to privacyIDEA and the world of the most flexible two factor system.
As it is thus flexible no one can guess what you are actually encountering!

Please note, that the OTP PIN policy (https://privacyidea.readthedocs.io/en/latest/policies/authentication.html#otppin) can not work token dependent (so much for the most flexible system

Maybe this helps you to figure something out.
If you set the otppin policy to “userstore” a user must authenticate with userpassword + totp.

Please be aware, that our company netknights provides professional services and support. (As 99% of the community is using the forum to ask questions and not answer, I take the liberty in pointing this out)

Kind regards
Cornelius

Voxxie · November 28, 2019, 9:22am

Hi Conelius,

Thank you for your answer.
We got it working for our proof on concept now.

Once our management team approves the proposal we will contact netknights for support and professional services.

Kind regards,

Hans Vos

cornelinux · November 28, 2019, 10:30am

Hi Hans,
do you want to elaborate how you solved you issue?
Kind regards
Cornelius

Voxxie · November 28, 2019, 10:34am

Hi Cornelius,

Yes, of course.
We decided that Push requires a PIN.

So users can login now with:
Pin + Push
TOTP
Yubico

We are trying to figure out if its possible to make a pin only required for token-type PUSH, and not for other tokens.
But for my presentation, this environment suits the idea on how we want to deploy it for our users.

Once everyone agrees, we are contacting you guys to help us and tell us whats possible and whats not.

Regards,

Hans Vos

cornelinux · November 28, 2019, 4:02pm

Hi Hans,

the thing is that currently we have no policies based on the tokentype. So this is not directly possible.
We stumbled across this a lot. But: checking for a tokentype only makes sense for a limited number of policies. (This is maybe why there is not github issue, yet! )

Maybe we/you should open an issue, since this definitively would need some discussion and every user input is valuable.

Well, here it is.

Regards
Cornelius