TIQR Authentication Fail counter increase if we query the status

basvandervlies · June 13, 2019, 10:32pm

I have a question I am following the doc:

https://privacyidea.readthedocs.io/en/latest/modules/lib/tokentypes/tiqr.html?highlight=tiqr#authentication

This behaviour can also be triggered if we login via webinterface. After we enter then pincode it will display QRcode and regular reload the page. When the page reloads it willt trigger an fail and this number increases rapidly and will shown hit the max fail counter.

[2019-06-14 00:12:03,619][9160][139842900588288][ERROR][privacyidea.lib.auditmodules.sqlaudit:256] DATA: {'success': True, 'client': '│······················
145.XXX.XXX.XXX', 'client_user_agent': 'firefox', 'privacyidea_server': 'surfsara.nl', 'action': 'POST /auth', 'action_detail':│······················
 '', 'info': 'internal admin', 'user': '', 'realm': '', 'administrator': 'pi_admin', 'policies': 'cua_webui,cua_webui'}

This is can be also be triggered on the command line:

curl -X POST 'https:/surfsara.nl/validate/check?user=bas&pass=01234'
curl -X GET 'https://surfsara.nl/validate/check?user=bas&pass=&transaction_id=139842900588288'

{                                                                                                                               "detail": {
"message": "Response did not match the challenge.", 
"serial": "TiQR00004EE3", 
"threadid": 139842900588288, 
"type": "tiqr"                                                                    
},                   
  "id": 1,                                                                             
  "jsonrpc": "2.0",
  "result": {                                
    "status": true,              
    "value": false                               
  },                  
  "time": 1560464269.7498221,
  "version": "privacyIDEA 3.0.1",
  "versionnumber": "3.0.1",  
  "signature": "rsa_sha256_pss:0187c3c6e5a3146f0def80901a25fa407b17aae60111dcd0095cc6533be7b6690e180b348961cbc555fe501559dcd9c0860866b
a8d01499cb2c38b6b1efe9986a6eefb295a656e1b3ed8a92e5a6b771c57eb3da52f8de2c0f409f6faf41e6468b93bb1c56e70f68a47bd5046dbb026395fd28ce1e6b81
f6743d196c80e83f55ba4bcffcf6be2c17b24ec8c17cf4981aba55f6cfef651a8f8a1aaf9deac01260613c7a0ea4c75ce381ccdccb2de6fc6dc10b62ff5ee4dfd09fe7
ada7233bcf81a95ad3e455272a02326cea66bb38062ffe2de20777d7ed5e3a384e062c890df97f9f6444b3db6855dc8ef1a9735e3e034de939ecfebfc6ef649fc23ede
4f7cfe3"
}

Due this queries we hit the max fail counter rapidly. Is this known or did we something wrong in our setup?

basvandervlies · June 14, 2019, 9:05am

I do not know if this the right approach but I have changed the tiqrtoken.py code. If the transaction_id is valid but the user has not yet responded, reset the fail counter. This works in my environment:
function: check_challenge_response

               if challengeobject.is_valid():
                    log.info("HvB reset")
                    self.reset()

basvandervlies · June 14, 2019, 2:16pm

wrote a patch:

https://github.com/privacyidea/privacyidea/pull/1684

cornelinux · June 27, 2019, 5:56pm

This was fixed in PR https://github.com/privacyidea/privacyidea/pull/1698
It will be released with privacyIDEA 3.1.
Thanks a lot for bringing this up.