2-factor authentication for owncloud mobile devices
156 views
Skip to first unread message
Prism
Jan 31, 2016, 9:57:55 AM1/31/16
to privacyidea
Hi, I just configured privacyidea HOTP for my owncloud setup (ubuntu, mysql) and it works perfectly.
The issue arises when I try to run it off my owncloud for iOS app. Because the HOTP 6 digit passcode is valid for single use, although I can configure it on the iOS app, I cannot actually use it because it expires when I refresh the content.
Is there a way of locking a passcode to a specific device so that the passcode can be reused an unlimited number of times on that specific device?
Thanks for your help.
Cornelius Kölbel
Jan 31, 2016, 10:07:19 AM1/31/16
to priva...@googlegroups.com
Your observation is right.
OwnCloud really sucks at the client side authentication, since it caches
passwords and does not use authentication tokens like OAuth or anything
else. You have the same problem with the desktop client, which will
result in locked tokens.
Fixing things in the backend (privacyidea) that are broken in the
frontend (owncloud) is the wrong approach.
However, you can assign a second token to the user, a simple pass token,
which only consists of the OTP PIN - i.e. a fixed password. Since this
is what this software which I also finally banned from my computers is
capable of handling.
This way you can use a SPASS token for the iOS app an true OTP for the
web app.
Kind regards
Cornelius
> --
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/support/
>
> In and enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/824a041f-fdec-4e07-ba73-55f88bffd6f4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
OwnCloud really sucks at the client side authentication, since it caches
passwords and does not use authentication tokens like OAuth or anything
else. You have the same problem with the desktop client, which will
result in locked tokens.
Fixing things in the backend (privacyidea) that are broken in the
frontend (owncloud) is the wrong approach.
However, you can assign a second token to the user, a simple pass token,
which only consists of the OTP PIN - i.e. a fixed password. Since this
is what this software which I also finally banned from my computers is
capable of handling.
This way you can use a SPASS token for the iOS app an true OTP for the
web app.
Kind regards
Cornelius
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/support/
>
> In and enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/824a041f-fdec-4e07-ba73-55f88bffd6f4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Reply all
Reply to author
Forward
0 new messages