A bug in the policy module prevents authenticating with a serial number. Affected version: privacyIDEA 2.6 Propability: High Security Severity: Low Technical Background privacyIDEA allows to authenticate with a username or a token serial number. I.e. the API can do a POST /validate/check user=username pass=PIN+OTP or a POST /validate/check serial=serialnumber […]
Monthly Archives: September 2015
3 posts
Today privacyIDEA version 2.6 was released. This release eases the way of authentication by providing a new token TiQR. The TiQR token is based on the OCRA protocol, which is a challenge response protocol, that can be used to authenticate or to sign transaction data. The TiQR token is a […]
A bug in the LDAP Resolver can lead to unauthorized access as an LDAP user. Under certain conditions a rogue user can login as an LDAP user to the privacyIDEA web UI or guess a static password part during authentication when the policy scope=authentication, otppin=userstore is used. Details Preconditions This problem […]