I’m currently test driving PrivacyIDEA which is a very nice and versatile solution (Big thanks to Cornelius). For the end-user part I’m conducting some research on apps that can work in a reliable way with the PrivacyIDEA environment. Specifically I’d like to know how others on the forum are deploying/using end-user (IOS/Android) apps. Currently I’m doing some tests with Google Authenticator. My biggest concern is how users safely transfer the app to another phone in case they lost their phone or want to start using a new phone. There seems to be no way to backup the code and transfer it to another device. I also looked at the Authy app which seems to have an option to backup and restore the code. But I’ don’t want to rely on that.
I personally think in an enterprise environment the users MUST NOT transfer the app to another phone. Well, if you are some application provider like Amazon, you might be interested in doing so. Because you want to push many tasks to the user.
If you are in an enterprise environment you especially do not want to ALLOW the user to transfer the token to another phone. Think of there might be policies, that the token is only available on ONE pyhsical device. Maybe the company has controlled, that the token was enrolled to this very specific device…
This is may opinion.
The privacyIDEA server does not allow to do so. You could however find an App, that would allow to create a backup of the token. The privacyIDEA Authenticator App also does not allow this.
So you’re suggesting that users should re-enroll their tokens at all times? E.g. in case of switching phones temporarily disable the token and enroll a new one. Or if they lose their phones start the enrollment procedure from scratch. That does sound logical indeed. I’m a bit apprehensive about backing up tokens at 3rd party providers.
Well, what would you do, if a user looses a hardware token?
He gets a new one.
If the user looses his phone: You do not know how good the security of the phone is. You could see the secret key as compromised. So it is only logical to enroll a new token.
If the user switches his phone. Are you sure, that he deletes his token from the phone or simply passes the phone to his son. Or ebay. The secret key would be compromized. So it is only logical to enroll a new token!
While it makes sense from an enterprise security pov, I as an educated user want to be able to transfer my PI tokens to a new phone without much hassle.
A big red warning, with 3 are you sure buttons should be good enough for educated users. For enterprise, MDM settings can prevent export if that’s the company policy.
But it should ultimately be the end user’s choice.