Spass token complexity or random generated

kvv · November 26, 2022, 11:33am

Hi all,

My privacyidea setup serves 2 types of tokens hotp and spass.
For hotp is the pin is short and I don’t mind if the user makes it overly simple, the hotp-token will compensate for that. And I want the user to set the pin themselves instead of enforcing a random pin.

However for spass tokens that is not the case, I can only force a minimum length to make it more secure.
Would it be possible to supply users with a generated random spass pin?
Or can I set complexity rules so that I can enforce the use of stronger pins?

Finally: is it possible to combine the opposite requirements for hotp and spass in policies?

– Kees

cornelinux · November 26, 2022, 9:35pm

Yes.

Yes. policy scope:user and action:spass_otp_pin_contents.

But you might also want to take a look at the “pw” token.

The spass token works this way, that the 2nd factor part of the token always replies with true, so the user ends up with the “otp pin”.

The pw token however works this way, that it combines the otppin (could be anything like the user store pw) with a static 2nd factor component.

kvv · November 27, 2022, 3:05pm

Policy scope:user and action:spass_otp_pin_contents does not seem to do what I want.
With +cn it is allowed to use chars and nums but it does not enforce that I use both, nor can I find a way to enforce upper and lowercase usage. Which means a pin with only number or only lowercase chars is valid. Is it possible to enforce more complex pins?

The PasswordTokens seem to be meant for a lost password situation.
My use-case is little different. I am looking at smtp/imap permanent passwords for use on mobile devices.
The problem is that “Modern authentication” is only available for some big vendors like gmail and outlook. Domain passwords require regular password changes, since people tend to forget to update their phone at the same time (and phones sync regularly) that leads to account lockouts.
The solution I am implementing is to create a long (> 25 chars) permanent password (currently a spass-token) that can only be used for smtp/imap on mobile devices.
Complexity is important because I do not want 25 the same chars as a password or similar simple but longs passwords.
Is it possible to use spass_otp_pin_contents to achieve that (and what would that look like)?

– Kees

cornelinux · November 27, 2022, 4:35pm

Yes

No, it is not limited to that.

This makes sense. I would use a pw token type for that

I would probably not use spass tokens!

The contents also provides the “s” option.

kvv · November 27, 2022, 6:20pm

Is it possible to use spass_otp_pin_contents to achieve that (and what would that look like)?

But selecting more types of chars will not prevent a user from creating a password of 25 the same chars: “aaaaaaaaaaaaaaaaaaa” still passes the rules, e.g. “+cns”. What is the way to ensure different types of chars must be used?

I cannot find the documentation on how to allow users to enroll for a pw-token and how to setup policies for user self-service and for authentication of a user from a given server(-ip) against pw-tokens.
That makes it hard to setup, do you have a pointer perhaps?

cornelinux · November 27, 2022, 6:54pm

Read the docs more carefully!

https://privacyidea.readthedocs.io/en/master/policies/admin.html?highlight=otp_pin_contents#otp-pin-contents

+cns is the wrong choice!

kvv · November 27, 2022, 7:02pm

ok, bad example, in fact I have been using “+cn”
But the example of “aaaaaaaaaaaaaaaaaaaa” is a valid pin, but not a very complex one.
If I understand the docs correctly the otp-pin-contents only sets valid input chars, but does not enforce complexity? Or am I missing something?

cornelinux · November 27, 2022, 8:14pm

Read the link I sent. I think it is clear. And also has examples!

kvv · November 27, 2022, 8:30pm

You’re right, the doc is clear enough. It looks like reading is pretty hard

I am still a bit puzzled about the advice to use the pw-token. I can’t find much doc, nor anything in the UI.