3.1.1. Four Eyes

Starting with version 2.6 privacyIDEA supports 4 Eyes Token. This is a meta token, that can be used to define, that two or more token must be used to authenticate. This way, you can set up a “two man rule”.

You can define, from which realm how many unique tokens need to be present, when authenticating:

../../_images/enroll_4eyes.png

Enroll a 4 eyes token

In this example authentication will only be possbile if at least two tokens from realm2 and one token from realm sqlite are present.

Authentication is done by concatenating the OTP PINs and the OTP values of all tokens. The concatenation is split by the separator character.

It does not matter, in which order the tokens from the realms are entered.

Example

Authentication as:

username: "root@r2"
password: "pin123456 secret789434 key098123"

The three blocks separated by the blank are checked, if they match tokens in the realms realm2 and sqlite.

The response looks like this in case of success:

{
  "detail": {
    "message": "matching 1 tokens",
    "serial": "PI4E000219E1",
    "type": "4eyes"
  },
  "id": 1,
  "jsonrpc": "2.0",
  "result": {
    "status": true,
    "value": true
  },
  "version": "privacyIDEA 2.6dev0",
  "versionnumber": "2.6dev0"
}

In case of a failed authentication the response looks like this:

{
  "detail": {
    "foureyes": "Only found 0 tokens in realm themis",
    "message": "wrong otp value",
    "serial": "PI4E000219E1",
    "type": "4eyes"
  },
  "id": 1,
  "jsonrpc": "2.0",
  "result": {
    "status": true,
    "value": false
  },
  "version": "privacyIDEA 2.6dev0",
  "versionnumber": "2.6dev0"
}

Note

The 4Eyes Token verifies that unique tokens from each realm are used. I.e. if you require 2 tokens from a realm, you can not use the same token twice.

Warning

But it does not verify, if these two unique tokens belong to the same user. Thus you should create a poliy, that in such a realm a user may only have on token.