A bug in policy module prevents authenticating with serial number in 2.6

A bug in the policy module prevents authenticating with a serial number.

  • Affected version: privacyIDEA 2.6
  • Propability: High
  • Security Severity: Low

Technical Background

privacyIDEA allows to authenticate with a username or a token serial number. I.e. the API can do a

POST /validate/check
user=username
pass=PIN+OTP

or a

POST /validate/check
serial=serialnumber
pass=PIN+OTP

A bug in file privacyidea/lib/policydecorators.py, which checks for challenge-response functionality will cause an authentication request without a username to fail.

Advisory

In common scenarios the user will always authenticate with his username.
Only if you are using Remote token types or if you have a special workflow there might be scenarios when authentication is done using only the serial number of the token.

If you are not authenticating with serial numbers, you do not need to take any actions.

If you are running such a scenario either

  • use privacyIDEA 2.5
  • use privacyIDEA >= 2.7dev1
  • or drop us a note.

Fix

The bug is fixed in 2.7 development release and will be released with 2.7 in October.

Leave a comment