Use device passwords for certain devices


#1

Sometimes people wonder, if it would be possible to assign kind of static tokens to devices. So that certain devices can authenticate against privacyIDEA without the need to present a 2nd factor.

So lets see to understand, how the authentication works.

A user can have several different token types

A user can have an HOTP or TOTP token, which he uses when he authenticates at a certain service manually. This makes sense, since this one time password also protects against keyloggers and shoulder surfers.
At the same time a user can have other tokentypes like the spass token or the not so well documented password token.

If nothing else is specified the user can authenticate with either token!

The spass and the password

Note that a token always consists of two components:

  1. The PIN (or the userstore password, if you set a otppin policy)
  2. and the OTP part or the second factor part.

spass

With the spass token the second factor does not exist, it is always true. Thus if you set the otppin policy to be “userstore”, than the user will authenticate e.g. with his LDAP password.

A user, who has an H/TOTP token and a spass token and the LDAP password “123456”, can now either authenticate with:

  • 123456777777 (123456 being the LDAP password and 777777 the OTP value of his TOTP token) or
  • 123456 (123456 being the LDAP password and the rest being the spass part = nothing)

password

In contrast to the spass token the password token requires a second component:

  1. component being the LDAP password
  2. component (the OTP part) being a static password

Thus a user could authenticate with

  • 123456Zohdu0eiv1pe

123456 being the well known week LDAP password and
Zohdu0eiv1pe being the all time static password (or whichever was set).

This might not make much sense, if a user can still authenticate with a static password, so he probably would never use the second factor?
This is why the policies are also IP dependent.

Authentication policies

Policies allow to add the client IP.
The authentication policy can define, if a PIN is needed or not as mentioned above and the authorization policy tokentype allows to define, which token type is allowed to be used for authentication.

This way you can configure

  1. Only allow authentication with LDAP password and OTP from certain IP addresses:

    • 1st policy: scope:auth, action:otppin=userstore, clientip=restricted
    • 2nd policy: scope:authz, action:tokentype=totp, clientip=restricted
  2. Allow to use a static password without the LDAP password from other certain IP addresses:

    • 1st policy: scope:auth, action:otppin=none, clientip=restricted
    • optional 2nd policy: scope:authz, action:tokentype=pw, clientip=restircted

However, this can only work on client IPs not on application types.

Comments are welcome to improve this information