 Hello, thank you. OK, I presume you all have an idea of what two-factor authentication might be. I also presume you know what own cloud is. It is a self-hosted file sharing system to explain it in seven words. Some words about me. I started to deal with two-factor authentication in 2005. And in 2014, I started the project privacy idea. And here's a bit contact information. So what are we looking at today? I brought a small setup. I have an own cloud 10 installation. It is connected to Active Directory. I'm sorry for this. You could also use OpenLDAP. You could use a SQL database. But the point is you have somewhere a user store where your users are located. And currently, your setup is that the users authenticate to this own cloud with a password. And well, we have some news lately about passwords. Finally, it's getting a bit boring, I think. And for example, this sub line there says that the right time to have a password or to have a second password is now. I see this a bit different. I think the time to have two-factor authentication is now. So how will we do this? Who of you knows own cloud? OK, great. Then you probably know that there's also a cool app within own cloud, a TOTP app. The user can enroll a second factor by creating such nice QR code. And then he can secure his login to his own cloud with a second factor on his smartphone. This is a great thing. The users in control do it, use it. That's fine. But also be aware that this is a TOTP algorithm. TOTP means that it's only time dependent. This means the secret key is contained in this QR code. Everyone who scans this QR code will have a copy of your second factor. And the downside is the users in control. So if you have an organization where you want your users to, for example, force to use a second factor, this is not a good solution. And finally, if you are setting up a second factor for all your applications this way, you will end up with lots of second factors. OK, so what are actually the requirements for two-factor authentication when we look at enterprise environments? First of all, users have to comply to policies. User is not allowed to decide if he wants to do two-factor authentication or not. He has to do what the company or the organization defines. Then it's nice to have a lot of different token types to choose from. And most important, you have to have a central management where you can manage the second factors, where you can connect different applications to and where, for example, you also have workflows for your help desk users. And this is where Privacy Idea comes in. Privacy Idea is such a central management system. It connects to existing user stores. It supports a lot of different token types and has a lot of other cool things like policies and event handlers. And finally, if you set up a Privacy Idea system in your network, you can connect many different applications to this authentication system. OK, so what we will do now is we started with the setup on cloud and Active Directory. And we will add a Privacy Idea system so that on cloud is able to talk to this Privacy Idea system. The first factor the user provides will be authenticated against Active Directory. The second factor will go against Privacy Idea. For this, we need the Privacy Idea server. And we need to install a small plug-in, a small app, in the on cloud system. OK, so unfortunately, I have spent five minutes to explain this to you. So I'm a bit in a hurry to actually do this in 15 minutes. And so I have to have speed things up. Here you see on Wednesday, I started at nine minutes after 9 AM to actually add a launchpad repository. I add the launchpad repository. I update the package index. I run an upgrade of my system. And then down there, we probably cannot see it. In the launchpad repository is a meta package, Privacy Idea Apache 2, which installs all necessary components on this naked Ubuntu system in this case. If you like other distributions, if you like other databases, if you like other web servers, of course, you can do as you please and you can simply install this from the Python package index. OK, yes. And actually, all batteries included, unfortunately, it's also bad to see. But at 10 minutes after 9 AM, I am asked if I want to install these 250 new packages with all dependencies. I hit yes. I have to set my SQL password at 11 minutes past 9. And at 9.13, I'm actually done. Everything which I need is installed after four minutes. And the only thing that remains is I have to set the password of an initial administrator. So this is also important. We do not come with a standard password because standard passwords are a bit nasty. So this was the server side. And I said, we also need to install a plug-in in oncloud. We will do this now. We go to the marketplace in our oncloud installation. And then the most difficult part is finding the app, actually. We found it. And now another difficult step is to find the install button. It's a bit below down to the right. And then you can hit the install button. And the plug-in, which connects oncloud with privacy idea, is installed. OK, to finally make things even more exciting, I thought, we do a small hands-on. I will try to show you how this is connected to Active Directory. We will enroll a few token types. For example, let's see how far we come. OK, this is my privacy idea installation here. And you know, wait a second. I can show you my connection to the Active Directory. So we actually have a real running Active Directory here with 18 users. And the interesting thing is you can curie any LAP server quite flexible. And here in the login attribute, you see we entered some account name and object GUID. So these are actually the attributes which privacy idea accepts as a username in the login request. This is quite interesting for oncloud because the default identifier in oncloud, when you are connecting to an LAP system or to an Active Directory, is the object GUID. So the authentication request arrives at privacy idea with the object GUID. Then we have a lot of users, which we fetched from the LDAP. Let's take this one. And let's enroll a most evil smartphone app. OK, I enrolled the smartphone app. So you may wonder, so what's the difference if I would use the TOTP app in oncloud? The thing is, now my smartphone as authentication device is centrally managed in privacy idea. Now we go to the oncloud system. Nice, I already opened the settings window. This is the setting configuration of the privacy idea. Plug in. The interesting thing is I can exclude user groups from the requirement to factor authentication. This is quite nice if you either do an enrollment and only want to have friendly users in a pilot to use to factor authentication, or in my case, to, for example, exclude administrators so that you do not lock you out quite at the start. OK, so the thing is I now have to, in the first step, authenticate with my LAP password at oncloud. Then the plug-in says, oh, please provide your second factor because you are not in the group that does not need a second factor. I use the second factor. I just enrolled on my smartphone and log in. Oh, this is quite interesting. It's better to actually type the correct number. But you see typing is a really nasty thing. And for this privacy idea also supports other tokens. Of course, we support these classical key fob tokens. But the interesting thing might be we also support these nice UV keys. And the interesting thing about UV keys is I do not have to type. And actually, I can initialize the keys directly myself. So let's see. Nope. For initializing the UV key, I have a command line tool. I call the command line tool privacy idea with the parameter secrets. This is simply a file that contains some more parameters which I do not want to type all the time. I hit Enter, provide my administrator password for privacy idea. The command line tool talks to privacy idea via the REST API and starts to enroll UV keys. So it tells me, please insert the UV key. I enroll the UV key. I insert the next UV key. And it finds the UV key and enrolls the next UV key. So the nice thing I can buy 100 UV keys, enroll the UV keys in five minutes, and be sure that these secrets are only known by me. And now the interesting thing is now I can go to privacy idea again. I see I have two new tokens. These are the UV keys I just enrolled. And now I can assign the UV keys to the same user. And since I do not know, it's a bit dark here. I cannot read the serial number on the back of the UV keys. So I assign both UV keys. I think there's some time left to assign actually both UV keys. And as you can see, of course, the system is also capable of assigning several tokens to the same user if needed. So now my user has three different tokens. And he can decide which one he wants to use to authenticate to the system. I take a UV key, plug it in the USB port, touch the button, and hope, come touch the button. Thanks, I enrolled two UV keys. Touch the button. Oh, would someone please touch the button? This is really interesting. So I think you all know how the UV keys work. If you had working hands, you would insert the one-time password and you would be authenticated. Thank you for your time and your interest.