2 person login

[cornelinux]

PUSH token that needs interaction with the user and the login page.

The scenario is, that one person sits in front of the login page and the other person is the owner of the 2nd factor.
The 1st person logs in. The 2nd person is required to contact the first person. A personal interaction is requested between the two persons - the PUSH token would allow a login without interaction.

This seems to be different from the push fatigue requirement in #3632

Questions:

• Why not use SMS or Email? Speed? Costs?
• Why not use 4 eyes token?

cc: 174178
@nilsbehlen I would like to discuss this in the next KESS.

Discuss: Are we finde with a 33% chance of guessing?

Todos

• We need to adapt this message:

  privacyidea/privacyidea/lib/tokens/pushtoken.py

  Line 886 in 6e80ba2

  message = get_action_values_from_options(SCOPE.AUTH,

• create challenge data, store challenge data,
• send callenge data to the smartphone, so that the smartphone can create the accordingly buttons. Enhance _build_smartphone_data

  privacyidea/privacyidea/lib/tokens/pushtoken.py

  Line 903 in 6e80ba2

  smartphone_data = _build_smartphone_data(self,

• enhance the processing of the smartphone response.

  privacyidea/privacyidea/lib/tokens/pushtoken.py

  Line 614 in 6e80ba2

  log.debug("Handling the authentication response from the smartphone.")

  
  How shoold we do this? We also could add the random number to the nonce and thus have it automagically in the response of the smartphone.
• Add policy: scope:authentication, action:policy_require_presence. We could do this as a boolean checkbox or we could make configurable: number of possible numbers. length of possible numbers (which does not matter). We could also simply do "A", "B", "C". sind it is a 1/3 chance.
• documentation
• Add support for poll_only.
• What should happen, if a user has several push tokens? We need to ensure, that a user, who has several push tokens and triggers several challenges, gets the same challenge data, since he most probably has the same transaction id entry in the challenge database? Done in 84d9aa2 (see Multiple Push Tokens with push_wait #2323)
• If the user has several push tokens and one challenge received the wrong answer. Should the challenges of the other tokens be canceled? This would actually happen here:

  privacyidea/privacyidea/lib/tokens/pushtoken.py

  Line 668 in 84d9aa2

  # TODO: should we somehow invalidate the challenge by e.g. shuffling the data?

[cornelinux]

A possible way to enforce the communication between the person who sits in front of the login dialog and the holder of the smartphone app would be as follows:

The challenge text does not only contain "please confirm the login on your smartphone", but it would contain a random informatoin like: "please confirm the login on your smartphone by pressing 17".

The privacyIDEA server would have to store the 17 as challenge data.

The smartphone would receive e.g. 5, 17 and 49 and the smartphone user would have to click either of those.
The answer would be sent back to privacyIDEA. Depending on the correctness the challenge would be successfully marked or discarded.

This could be configured as optional push auth mode. This way we could also use this with already enrolled push tokens.
In this case we would have to update the server and the smartphone app.
All plugins would not need an update.

What happens, if there are more than one push tokens and several challenges are created. Is it possible to create the same tupples for all push tokens, so that only one correct number needs to be displayed in the challenge text?

Spec

@frankmer Please stop by, when the spec is complete.

smartphone receiving data

The JSON object sent to the smartphone can contain two additional entries:

{ ...
   "require_presence":  "{string of available options separated by ','}",
   "version": "2"
}

If require_presence is available the smartphone app shall display the list entry (strings) on each separate button.

The signature contains the "require_presence" as the last entry, separated by "|".

The user will then press one of the buttons. The login window tells the user, which button he should press.

smartphone sending data

The smartphone app does not know the correct answer. It needs to send the pressed button (aka the string) back to the privacyIDEA server.

This needs to be implemented here:

privacyidea/privacyidea/lib/tokens/pushtoken.py

Line 634 in 232377f

decline = is_true(getParam(request_data, "decline", default=False))

As @frankmer suggested the answer of the smartphone should contain:

    "presence_answer":  "pressedAnswer",

The signature will be created as suggested

signature =  {nonce}|{serial}[|decline][|{pressedAnswer}]

while "decline" is the word decline and "" would be the displayed and pressed answer. Could be "A", "B" or "C" or "McCartney", "Harrison" or "Starr".

As the user would either press "decline" or a supposedly valid answer, the signed message would be

• {nonce}|{serial}|decline
• {nonce}|{serial}|{pressedAnswer}

or classically:

• {nonce}|{serial}

[cornelinux]

This would be related to #3632 or even would make it obsolete.

We could even, if the number is answered wrong, start to delete the challenge or block the token.

[frankmer]

@cornelinux
Since the accepted/declined information is in the signed message and the body of the response, I would add the pressed number to the signed message and body as well.

signature =  {nonce}|{serial}[|decline][|{number}]

{ ...
   "decline": "0"
   "presence_answer":  "{pressedNumber}",
}