6.1. Authentication Modes and Client Modes

privacyIDEA supports a variety of tokens that implement different authentication flows. We call these flows authentication modes. Currently, tokens may implement three authentication modes, namely authenticate, challenge and outofband.

Application plugins need to implement the three authentication modes separately, as the modes differ in their user experience. To help the plugins identify the flow, the JSON response of an authentication request contains additional information in the section

{
  "detail": "multi_challenge": [
        {
            "client_mode": "poll",
        }
  ]
}

The “client_mode” gives the plugin even more information how to respond. The authentication mode challenge can either result in client_mode interactive, webauthn of u2f and the authentication mode outofband can currently result in client mode poll.

Here are examples for the flows:

  • The HOTP token type implements the authenticate mode, which is a single-shot authentication flow. For each authentication request, the user uses their token to generate a new HOTP value and enters it along with their OTP PIN. The plugin sends both values to privacyIDEA, which decides whether the authentication is valid or not.

  • The E-Mail and SMS token types implement the challenge mode. With such a token, the authentication flow consists of two steps: In a first step, the plugin triggers a challenge. privacyIDEA sends the challenge response — a fresh OTP value — to the user via E-Mail or SMS. In a second step, the user responds to the challenge by entering the respective OTP value in the plugin’s login form. The plugin sends the challenge response to privacyIDEA, which decides whether the authentication is valid or not. The “client_mode” is set to interactive. This indicates that the plugin should display an input field, so that the user can enter the response interactively.

  • WebAuthn tokens and U2F tokens also implement the challenge mode. However, the plugin needs to handle these challenges differently, since the user does not need to enter the response to the challenge manually. The “client_mode” is either set to webauthn or u2f so that the plugin can handle the cryptographic challenge accordingly.

  • The PUSH and TiQR token types implement the outofband mode. With a PUSH token, the authentication step also consists of two steps: In a first step, the user triggers a challenge. privacyIDEA pushes the challenge to the user’s smartphone app. In a second step, the user approves the challenge on their phone, and the app responds to the challenge by communicating with the privacyIDEA server on behalf of the user. The plugin periodically queries privacyIDEA to check if the challenge has been answered correctly and the authentication is valid. In this case the “client_mode” is set to poll, so that the plugin knows, that it needs to poll for the response to the challenge.

The following describes the authentication flows of the three authentication modes in more detail.

6.1.1. authenticate mode

The Service is an application that is protected with a second factor by privacyIDEA.

  • The user enters a OTP PIN along with an OTP value at the Service.

  • The plugin sends a request to the /validate/check endpoint of privacyIDEA:

    POST /validate/check
    
    user=<user>&pass=<PIN+OTP>
    

and privacyIDEA returns whether the authentication request has succeeded or not.

6.1.2. challenge mode

  • The plugin triggers a challenge, for example via the /validate/triggerchallenge endpoint:

    POST /validate/triggerchallenge
    
    user=<user>
    

    Alternatively, a challenge can be triggered via the /validate/check endpoint with the PIN of a challenge-response token:

    POST /validate/check
    
    user=<user>&pass=<PIN>
    

    In both variants, the plugin receives a transaction ID which we call transaction_id and asks the user for the challenge response.

  • The user enters the challenge response, which we call OTP. The plugin forwards the response to privacyIDEA along with the transaction ID:

    POST /validate/check
    
    user=<user>&transaction_id=<transaction_id>&pass=<OTP>
    

and privacyIDEA returns whether the authentication request succeeded or not.

6.1.3. outofband mode

  • The plugin triggers a challenge, for example via the /validate/triggerchallenge endpoint:

    POST /validate/triggerchallenge
    
    user=<user>
    

    or via the /validate/check endpoint with the PIN of a out-of-band token:

    POST /validate/check
    
    user=<user>&pass=<PIN>
    

    In both variants, the plugin receives a transaction ID which we call transaction_id. The plugin may now periodically query the status of the challenge by polling the /validate/polltransaction endpoint:

    GET /validate/polltransaction
    
    transaction_id=<transaction_id>
    

    If this endpoint returns false, the challenge has not been answered yet.

  • The user approves the challenge on a separate device, e.g. their smartphone app. The app communicates with a tokentype-specific endpoint of privacyIDEA, which marks the challenge as answered. The exact communication depends on the token type.

  • Once /validate/polltransaction returns true, the plugin must finalize the authentication via the /validate/check endpoint:

    POST /validate/check
    
    user=<user>&transaction_id=<transaction_id>&pass=
    

    For the pass parameter, the plugin sends an empty string.

    This step is crucial because the /validate/check endpoint takes defined authentication and authorization policies into account to decide whether the authentication was successful or not.

    Note

    The /validate/polltransaction endpoint does not require authentication and does not increase the failcounters of tokens. Hence, attackers may try to brute-force transaction IDs of correctly answered challenges. Due to the short expiration timeout and the length of the randomly-generated transaction IDs, it is unlikely that attackers correctly guess a transaction ID in time. Nonetheless, plugins must not allow users to inject transaction IDs, and plugins must not leak transaction IDs to users.