A bug in the policy module prevents authenticating with a serial number.
- Affected version: privacyIDEA 2.6
- Propability: High
- Security Severity: Low
Technical Background
privacyIDEA allows to authenticate with a username or a token serial number. I.e. the API can do a
POST /validate/check
user=username pass=PIN+OTP
or a
POST /validate/check
serial=serialnumber pass=PIN+OTP
A bug in file privacyidea/lib/policydecorators.py, which checks for challenge-response functionality will cause an authentication request without a username to fail.
Advisory
In common scenarios the user will always authenticate with his username.
Only if you are using Remote token types or if you have a special workflow there might be scenarios when authentication is done using only the serial number of the token.
If you are not authenticating with serial numbers, you do not need to take any actions.
If you are running such a scenario either
- use privacyIDEA 2.5
- use privacyIDEA >= 2.7dev1
- or drop us a note.
Fix
The bug is fixed in 2.7 development release and will be released with 2.7 in October.
