Hello! I would like to know if it is possible in privacyidea to use 2FA with OTP only when a certain time has passed since the last login. Privacyidea is currently used integrated into the authentication process of simplesamlphp
For security reasons this is not possible.
I personally think this is a very bad idea!
However, this could be part of a bigger concept, which we think of as “pre-authentication”.
See:
opened 11:17AM - 09 Mar 22 UTC
Type: Idea!
## Context
Every now and then some people come around and ask things like "Oh… , can we do an authentication on the same machine only once a week?".
"Can we do 2FA only if the browser cache has been cleared?"
The problem is, that privacyIDEA often does not have this information to decide whether there should be a 2FA or not.
Also, with hitting the end point `/validate/check` we are also in the middle of the authentication already.
And the application, that is protected by privacyIDEA, already decided to ask the user for a 2nd factor or not.
Also see: Fuzzy Authentication: https://github.com/privacyidea/privacyidea/wiki/concept%3A-fuzzy-authentication
## Things to think about
* Should the application decide or privacyIDEA decide, that 2FA is required today? Usually the application would decide, since the application has all information and privacyIDEA does not.
* If privacyIDEA should decide, how should the application communicate with privacyIDEA? The application does not have any 2FA data, yet. So should there be an additional endpoint like `/validate/please_tell_me_if_I_need_2fa`, that the application queries and privacyIDEA uses pluggable modules and rule sets to decide, whether the application with all the parameters and conditions now needs 2FA or not. This would also require additional logic in the application.
@nilsbehlen This might be something to discuss on the next hackathon.