Sometimes people wonder, if it would be possible to assign kind of static tokens to devices. So that certain devices can authenticate against privacyIDEA without the need to present a 2nd factor.

So lets see to understand, how the authentication works.

A user can have several different token types

A user can have an HOTP or TOTP token, which he uses when he authenticates at a certain service manually. This makes sense, since this one time password also protects against keyloggers and shoulder surfers.
At the same time a user can have other tokentypes like the spass token or the not so well documented password token.

If nothing else is specified the user can authenticate with either token!

The spass and the password

Note that a token always consists of two components:

1. The PIN (or the userstore password, if you set a otppin policy)
2. and the OTP part or the second factor part.

spass

With the spass token the second factor does not exist, it is always true. Thus if you set the otppin policy to be “userstore”, than the user will authenticate e.g. with his LDAP password.

A user, who has an H/TOTP token and a spass token and the LDAP password “123456”, can now either authenticate with:

• 123456777777 (123456 being the LDAP password and 777777 the OTP value of his TOTP token) or
• 123456 (123456 being the LDAP password and the rest being the spass part = nothing)

password

In contrast to the spass token the password token requires a second component:

1. component being the LDAP password
2. component (the OTP part) being a static password

Thus a user could authenticate with

• 123456Zohdu0eiv1pe

123456 being the well known week LDAP password and
Zohdu0eiv1pe being the all time static password (or whichever was set).

This might not make much sense, if a user can still authenticate with a static password, so he probably would never use the second factor?
This is why the policies are also IP dependent.

Authentication policies

Policies allow to add the client IP.
The authentication policy can define, if a PIN is needed or not as mentioned above and the authorization policy tokentype allows to define, which token type is allowed to be used for authentication.

This way you can configure

1. Only allow authentication with LDAP password and OTP from certain IP addresses:

   • 1st policy: scope:auth, action:otppin=userstore, clientip=restricted
   • 2nd policy: scope:authz, action:tokentype=totp, clientip=restricted

2. Allow to use a static password without the LDAP password from other certain IP addresses:

   • 1st policy: scope:auth, action:otppin=none, clientip=restricted
   • optional 2nd policy: scope:authz, action:tokentype=pw, clientip=restircted

However, this can only work on client IPs not on application types.

Comments are welcome to improve this information

Hi!

I’m looking to use the password token for device authentication (mobile devices with Active Exchange account types), in addition of HOTPs and TOTPs for other authentication scenarios, but for reason the password token does not appear in the list of available tokens.

Why would that be and how can I get my users to enroll password tokens? Tried the spass token but it doesn’t seem like the right approach.

Also, I would like to restrict the user’s ability to enroll to these token types, and for that I used a user policy and enabled enrollHOTP and enrollTOTP in the enrollment group, but I don’t have an item for password tokens.

Probably I’m misunderstanding the password token in relation to lost passwords, but read that for that I need to have an editable user store.

I have installed privacyIdea 3.8.1 on CentOS 7 as per the guide with AD as resolver.

Thanks!

Mario

The password (type: “pw”) token type can not be enrolled via the WebUI. It can only be enrolled by the admin via the API.

You may also want to take a look at the “application specific password”, that will be released with version 3.9.

Thank you!.. Generated a few pw tokens through the API… Looking forward for version 3.9