...by the way. This is probably the reason, why Red Hat uses the
predecessor of privacyIDEA as central 2FA authentication system for the OTP
Am Freitag, 30. Dezember 2016 08:21:36 UTC+1 schrieb Cornelius Kölbel:
> Hi Jochen,
> this is a very important point.
> Every application is adopting two factor authentication with OTP. This is
> great - we always hoped for such a security awareness.
> But the important difference is:
> The common webapplication that finally will implement TOTP ("this cloudy
> algorithm which was invented by the Google Authenticator" ;-) ) manages the
> seeds/keys for these tokens. If the user uses a smartphone app the user
> will end up with an "OTP token" or "profile" in his App for every
> Or he has to share the seeds one seed between all applications. And then
> he runs into the troubles mentioned earlier.
> You perfectly pointed out, why you need a central authentication system
> for managing the second factors.
> From a user experience point fo view the applications could also go for
> U2F. Then the user again will only have one device, which he needs tor
> register with each application...
> ...but there will be no "syncing" problem.
> Kind regards
> Am Donnerstag, 29. Dezember 2016 20:45:34 UTC+1 schrieb Jochen Hein:
>> Martin Basti <m....@redhat.com <mba...@redhat.com>> writes:
>> >> But providing access to a Yubico Token via privacyidea works for
>> >> cases I have in mind.
>> > How they are checking the valid tokes if they don't use its counter?
>> Privacyidea is the "owner" of the token and has the secret and the
>> counter stored. Every other system (e.g. pam_yubico or FreeIPA) is
>> checking the validation against privacyiadea, either with the yubico
>> protocol, the privacyidey validation, or RADIUS.
>> Does this clarify the architecture of my system?
>> The only problem with troubleshooting is that the trouble shoots back.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project