multiOTPCredentialProvider
multiOTPCredentialProvider copied to clipboard
multiOTP
Offline access not working for users without any 2FA token (WITHOUT2FA)
Users without any 2FA token (WITHOUT2FA ) are now bypassed by the 2FA prompt. Please be sure to upgrade the Credential Provider (https://github.com/multiOTP/multiOTPCredentialProvider/releases/latest) and the multiOTP server (https://github.com/multiOTP/multiotp/releases/latest) to at least version 5.9.2.1
Originally posted by @multiOTP in https://github.com/multiOTP/multiOTPCredentialProvider/issues/62#issuecomment-1210567560
New Issue with Offline Access using WITHOUT2FA
There is a new issue when both the credential provider and server are updated to 5.9.2.1, using the WITHOUT2FA does not allow for offline bypass of 2FA. If I copy the correlated /users/<user>.db over from the MultiOTP server to the /users MultiOTP install directory on the credential provider client workstation, I can offline 2FA no problem using WITHOUT2FA but it's not doing this for me automatically as it was on the previous version.
If I do not copy it over and it does not exist, it prompts for 2FA when OTP server is offline and does not bypass 2FA. It seems to be related to the correlated user .db file not copying over to the client automatically or whatever it does when it connect while the OTP server is online the first time signing on post credential provider install.
In my case, most users will be offline and only a handful of IT staff and other local admins will require the TOTP via authenticator app. Some of these users have laptops and take them offsite so no domain controller and no network multiotp server. I need those users to be able to login offline.
I was hoping the WITHOUT2FA MultiOTP defined accounts would still honor the offline settings set on the client and the server to allow this, but those are NOT copying over the needed data to authenticate WITHOUT2FA offline.
I can certainly figure out a way to automate this otherwise so I can move forward with my requirement, but would love to see this fixed, or you tell me what configuration I need for that, etc.
I have this configuration on the server:
multiotp -config server-secret=***@***! server-type=xml
multiotp -config server-cache-level=1 server-cache-lifetime=15552000
but I also tried that without the server-type=xml.
I have this configuration on the client:
I greatly appreciate the fix on the WITHOUT2FA account bypassing the TOTP/2FA prompt post Windows authentication when online at least, it seems to work great and exactly as needed when online.
Note: I can confirm the offline cache is working just fine 100% for the accounts that are NOT defined as WITHOUT2FA, those copy over the user.db file from the server to the protected client directory no problem and allow offline access with 2FA afterward.
Hello, thanks for your feedback. We will find a solution for this case that we forgot to take in consideration. Best regards
@multiOTP
Hello, thanks for your feedback. We will find a solution for this case that we forgot to take in consideration. Best regards
Thank you, I'll be on the lookout for published updates. I have a brute force way to do this and keeping it secure in a Windows Domain environment, using a PowerShell GPO computer level startup script, etc. if needed in my back pocket.
Can you tell me if the open source Windows solution handles multiple OTP servers but for the same domain with each containing the same user token data?
I want to subnet credential provider clients confirmed to use OTP02 server as default and OTP01 as secondary, and the other way around in the other subnet and those client workstation to use OTP01 server as default and OTP02 as secondary. If server on same subnet goes down or doesn't respond within defined timeout, it will try the other server to allow login.
I'm not sure if only ONE of the two OTP servers should run the LDAP sync and you have to 'some other way' sync up the main source OTP server tokens, user data, etc. with the other main source OTP server. And always only run LDAP sync commands on just the one main source OTP server. Copy the files over to the other OTP server via another method to replicate so same token and seed work to authenticate same user from either OTP server.
I guess the goal would be for the folks that bypass to always bypass and not deal with the 2FA via authenticator app online or offline. Whereas the local admins, they must always 2FA via authenticator app but would like the same seed and token and whatever they register with their authenticator app to be ONE whether IT users sign onto OTP02 or OTP01 subnets and servers.
Does MultiOTP support redundant Windows Server configuration with the open source solution or must it be manually/brute force manipulated like that to make it work ensuring only one server syncs with AD (WITHOUT2FA token and AD group) and copy over its user.db file from the source server is the source file replicated on both servers?
We are working on the without2FA local cache. Here is the answers to your other questions :
Can you tell me if the open source Windows solution handles multiple OTP servers but for the same domain with each containing the same user token data? Yes the credential provider can use multiple OTP servers. In the opensource edition, you need to take care of the synchro between your multiOTP servers. (files synchro or db synchro)
I'm not sure if only ONE of the two OTP servers should run the LDAP sync and you have to 'some other way' sync up the main source OTP server tokens, user data, etc. with the other main source OTP server. And always only run LDAP sync commands on just the one main source OTP server. Copy the files over to the other OTP server via another method to replicate so same token and seed work to authenticate same user from either OTP server. Exactly, you need to configure the LDAP sync on your master multiOTP and then sync with some other way the main source with the other server.
Does MultiOTP support redundant Windows Server configuration with the open source solution or must it be manually/brute force manipulated like that to make it work ensuring only one server syncs with AD (WITHOUT2FA token and AD group) and copy over its user.db file from the source server is the source file replicated on both servers? There is no automatic synchronization in the open source edition
Best regards
@multiOTP
You are awesome! Thank you for the feedback and all the work you do with this product!
Hello, Version 5.9.3.1 and further allow now caching of users without any 2FA token (without2fa). Regards,