tbi <
tbal...@gmail.com> writes:
> It is possible to change the login_mode to privacyIDEA which forces the
> user to use a Token to login instead of his userstore password.
Let's see.
> What I would like to achieve is, that as long as the user has no Token
> assigned, he is allowed to login with his userstore password.
This is possible with an authentication policy, enable
"passthru" and set it to "userstore". Documencation says:
If set, the user in this realm will be authenticated against the
userstore or against the given RADIUS config, if the user has no tokens
assigned.
> As soon as he has a Token he needs the Token to login.
Only the token, or OTPPIN and token, or Userstore-password and token?
Enable "otppin" in the authentication policy and select what you like.
> From a security point of view it makes no sense to let him login if he has
> a token. Assuming that an attacker gets his credentials, he can just login
You could deny token enrollment with a policy.
Hope that helps.
Jochen