v3.6.0

Enhancement

• WebAuthn via NFC. However, this feature is marked as experimental by libfido2, which is used here. So there might be devices that do not work or other problems.
• WebAuthn token can be used for offline authentication if it is marked as such in privacyIDEA.
• Use of user_verification=discouraged policy in privacyIDEA is now considered. In offline scenarios, the PIN prompt can be controlled via webauthn_offline_no_pin registry setting.
• Changed translation system to allow adding or changing translations without the need to install a new version. Also added spanish translation. Both contributed by charlyR (#158)

Fixes

• Fixed a bug that would cause otp_link_text to be ignored.
• Fixed a bug that would cause the (customizable) OTP failure text to not be displayed.

v3.5.3

Fixes

• Fixed a bug that would result in two_step_hide_otp being ignored when selecting another credential provider
• Fixed a bug that would not reset the login to the first step if "the user could not be found in any resolver in this realm" occured
• Fixed a bug that would prevent the FIDO device recognition on the second try if it was cancelled once

v3.5.2

Fixed inverted translation that occured for some texts

v3.5.1

Fixes

• Fixed successful offline authentication with HOTP not ending the authentication
• Fixed the info text displayed for offline token for webauthn
• Fixed refreshing of refilltoken for webauthn offline
• Fixed FIDO device search cancellation
• Fixed some texts
• Added texts for refill phases to be distinguished from authentication

v3.5.0

Features

• WebAuthn online
• WebAuthn offline, requires privacyIDEA 3.10 which will be released on a later date

Enhancements

• Added CredentialProvider version to the useragent
• Added ComputerName to useragent (optional). This will be needed for the WebAuthn offline management of refilltoken in the server.

Fixes

• Fixed reset_link_text to be actually used when set
• Fixed a bug when using RDP with UPN would result in the UPN not being split properly and therefore producing a wrong username, making login impossible.

Dummy subscription is attached

v3.4.0

Features

• If 'send_upn' is enabled and the username input contains an '@' and no '', it will be send as is to privacyidea, the realm will be omitted in this case. This feature does not yet check with AD if the UPN is correct.

Fixes

• Fixed a bug where a password reset for an expired password was not recogized.
• Fixed a bug where the '%' was not properly encoded when communicating with privacyidea.

v3.3.0

Features

• Token enrollment via challenge-response (introduced in privacyIDEA 3.8) can be used in the CP.
• Added whitelist for the filter to spare other credential providers from being filtered.

Fixes

• If sending password or emtpy password was enabled and machine was offline, it was impossible to get to the second step for an offline authentication, because of the error caused by the attempt to send something. This is now fixed and offline is possible even if an error occured in the first step.
• If the excluded_account included a '.', it was not resolved to the local machine name before comparing with the input. Now both input and registry setting will have the '.' resolved before comparing values.

v3.2.2

• Remember the serial of the token that was used to authenticate to add the refill values to the right token, fixes #123
• If prefill_username is enabled, set the focus to the password field, fixes #122
• Update the offline info after wrong password or other errors. The number displayed will now represent the comsumed offline OTPs if they had not been refilled directly (e.g. machine is offline)
• Fixed the count field in the offline file to correctly display the count of OTPs

v3.2.1

• Fixed a bug where an offline user would not be found if the username was capitalized differently (missing case insensitivity)
• When entering the wrong OTP in RDP scenarios, the credential provider will now reset to the first step with username and password prefilled. This way, the user just has to press enter and can trigger challenges again.
• Fixed a bug where the installer wrote the wrong values for scenario specific configuration

v3.2.0

Features

• Multiple offline token for multiple users are possible now
• Added "offline_threshold" configuration entry. OfflineRefill is only attempted when the remaining offline OTPs drop below the threshold. This will prevent having to wait for a connection timeout every time a authentication is performed where the computer is really offline.
• Added "offline_show_info" configuration entry. This will display available offline token for the user that is currently logging.
• Added "enable_filter" configuration entry. This will enable the filter (which removes all other Credential Providers).
• Updated the installer with more configuration possibilities. Moreover, the filter is now always installed and has to be activated via the configuration of this Credential Provider.

Fixes

• When using RDP, the incoming password is now properly decrypted so that "2step_send_password" works correctly in this scenario.
• Fixed a bug that could cause an infinite loop in the CredUI scenario.
• Improved the "show_domain_hint" feature to directly show the domain that will be used when entering a backslash.
• Entering '.' will now be properly resolved to the local computer name.
• Entering '@' will now be handled correctly to indicate a domain.
• Failing the 2nd factor check in RDP scenarios will now only reset the 2nd step. In RDP scenarios, the username and password are already checked before connecting, therefore it is not required to check those on the target again.