Do not require second factor when unlocking system for certain amount of time after having used it last

[kheldorn]

(submitted this to the wrong project at first (privacyidea/privacyidea#3444), so posting it here again)

We'd like to introduce PrivacyIdea in our environment, mainly to secure local Windows logins, but during brainstorming people quickly raised the issue that they'd get very annoyed with it if they had to enter their second factor every time they unlock their computer.

We've got a system policy set that locks a computer after X number of minutes of inactivity, and because of that a bunch of people would be forced to enter not only their password, but also their second factor multiple times per day.
We do not want to disable the second factor for unlocking the system entirely though. We just want it to not be required every time the system is unlocked.

Our idea to combat this was to basically set things up in a way that will make the second factor absolutely mandatory if the system has been (these rules beat any others):

• just booted
• woken from standby (suspend to ram)
• woken from hibernation (suspend to disk)

However, if the system was only locked then the client should NOT require the second factor if the following condition is met:

• the user is just unlocking the system within XX minutes after having last used the second factor for login (or unlocking if XX had already expired before; we considered a value of something like 4 hours for XX; though obviously that should be configurable)

Further, the system should fall back to requiring the second factor under certain circumstances even if XX has not expired yet:

• If the system has been locked more than XY times in the last XZ minutes (our default was 10 times in 1 hour; both values should be configurable)
• If the user has entered a wrong password YY times while trying to unlock the system with the second factor disabled (our default value here was 3; again should be configurable)

I've got the whole ruleset written down as a Powershell script that gets executed by a scheduled tasks triggered on a number of eventlog IDs from the system and security eventlogs.
Following the rules outlined above the script then modifies the "cpus_logon" and "cpus_unlock" registry keys to either enable or disable the second factor requirement.
It also keeps track (in the registry) of when the second factor was last used (to calculate when XX has expired), when it was locked (MultiString with a list of timestamps) and number of unlocks to calculate when XY in XZ is exceeded, and obviously number of failed unlocks to reenable the second factor again after YY is exceeded.

The whole thing works but it adds an additional level of complexity I'd rather avoid if possible. However, we feel it is necessary to add such a feature to get not only our users but also management and VIPs on board with introducing PrivacyIDEA in our environment.

Instead of having a custom Powershell script trigger on eventlog entries I'd much rather have the client natively support all these features and pull the configured values (XX, XY, XZ and YY) from a central configuration point allowing us to easily change and adjust values.

Is this something you could/would consider to implement? Would be very much appreciated and surely very useful not only to us but others as well. On top of that it would add a nice feature to the list that other competitors in this field might not have and set PrivacyIDEA apart in that regard.

[nilsbehlen]

Hi, thanks for this detailed idea.
Having this centrally managed would mean for us that privacyidea decides if the user should enter the second factor or not. However, it may take alot of time before we have that in place. I will bring this local feature up again for discussion.