Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve enrollment #264

Open
cornelinux opened this issue Sep 5, 2022 · 0 comments
Open

Improve enrollment #264

cornelinux opened this issue Sep 5, 2022 · 0 comments
Labels
Type: Feature request External requirement for new functionality

Comments

@cornelinux
Copy link
Member

The classical enrollment of smartphone apps like specified by Google, which contains the key material in the QR code, is prone to copy-attackers.

We could remove the key material from the QR code. The QR code could only contain a URL to the privacyIDEA server, a kind of on-time registration URL. The Smartphone would generate the key material and pass the key material to this very URL.

Problem

An attacker could still scan the QR/URL and pass his own key material.

Mitigations

The enrolled key material could be deactivated.

Additional means to enable the key material or protect the URL like additional credetials.
This could be

  • know
  • sent by snail mail
  • sent via SMS...

The user would then have to enter e.g. the credentials during the enrollment --- on the smartphone?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Feature request External requirement for new functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cornelinux