Credential Provider: Do not require second factor when unlocking system for certain amount of time after having used it last #3444
Labels
Type: Feature request
A change requested or proposed by a user which is not on the default roadmap
Type: Idea!
Discuss new ideas, features and enhancements
Comments
kheldorn
added
the
Type: Feature request
|
Thank you for filing an issue and sharing your observations or ideas. Please be sure to provide as much information as possible to help us to work on this issue. |
cornelinux
changed the title
|
This is a requirement for the privacyidea credential provider. I leave it here for basic security-weakening-concepts ;-) However, this could also be somehow done generically with Pre-Authentication #3033 |
|
Oops, my bad. Submitted it to the correct project too. ;) Pre-/Fuzzy Authentication sounds similar indeed, though something (the credetianl provider?) would still need to contain the logic described above. So basically it is more or less the same idea. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We'd like to introduce PrivacyIdea in our environment, mainly to secure local Windows logins, but during brainstorming people quickly raised the issue that they'd get very annoyed with it if they had to enter their second factor every time they unlock their computer.
We've got a system policy set that locks a computer after X number of minutes of inactivity, and because of that a bunch of people would be forced to enter not only their password, but also their second factor multiple times per day.
We do not want to disable the second factor for unlocking the system entirely though. We just want it to not be required every time the system is unlocked.
Our idea to combat this was to basically set things up in a way that will make the second factor absolutely mandatory if the system has been (these rules beat any others):
However, if the system was only locked then the client should NOT require the second factor if the following condition is met:
Further, the system should fall back to requiring the second factor under certain circumstances even if XX has not expired yet:
I've got the whole ruleset written down as a Powershell script that gets executed by a scheduled tasks triggered on a number of eventlog IDs from the system and security eventlogs.
Following the rules outlined above the script then modifies the "cpus_logon" and "cpus_unlock" registry keys to either enable or disable the second factor requirement.
It also keeps track (in the registry) of when the second factor was last used (to calculate when XX has expired), when it was locked (MultiString with a list of timestamps) and number of unlocks to calculate when XY in XZ is exceeded, and obviously number of failed unlocks to reenable the second factor again after YY is exceeded.
The whole thing works but it adds an additional level of complexity I'd rather avoid if possible. However, we feel it is necessary to add such a feature to get not only our users but also management and VIPs on board with introducing PrivacyIDEA in our environment.
Instead of having a custom Powershell script trigger on eventlog entries I'd much rather have the client natively support all these features and pull the configured values (XX, XY, XZ and YY) from a central configuration point allowing us to easily change and adjust values.
Is this something you could/would consider to implement? Would be very much appreciated and surely very useful not only to us but others as well. On top of that it would add a nice feature to the list that other competitors in this field might not have and set PrivacyIDEA apart in that regard.
The text was updated successfully, but these errors were encountered: