Kassel, 07.04.2026 – The latest version 3.13 of multi-factor authentication software privacyIDEA is available. The most significant new feature is the expanded support for passkeys. As a result, users can now register passkeys on Windows and Linux. Support for the RADIUS protocol has been improved for the push token. Visually, the new WebUI is now available as a beta version.

Passkey registration during sign-in with offline functionality

With version 3.13, users in Windows and Linux environments can register a passkey directly during the login process. This passkey is then available for offline authentication on the corresponding device. Administrators can control this process specifically through policies. The advantage lies in a significantly simplified rollout process: Neither administrators nor help desk users need to be actively involved in the deployment process. This makes the introduction of new tokens less subject to errors and requires less support, while offering greater comfort for users.

Push authentication with code-based authentication for RADIUS

A new policy improves the use of push tokens in RADIUS-based scenarios such as VPNs or firewalls. The user confirms the login on their smartphone and then enters a numeric code displayed in the app into the login screen. This ensures that the user is directly involved in the login process. At the same time, the authentication is cryptographically secured and offers a significant security advantage over TOTP-based methods.

Beta version of the new WebUI is now available

The modernized user interface of privacyIDEA is now available in its full functionality as a beta version. In addition to the existing self-service area, it also includes the administrator view. In version 3.13, however, the previous WebUI remains the default interface. Users can test the new user interface and provide feedback. In version 3.14, the new WebUI will then be activated as the default interface.

All other changes are listed in detail in the changelog on GitHub. All components of privacyIDEA are also being further developed there under the leadership of NetKnights GmbH as open-source software under the AGPLv3.

Availability

The new version 3.13 of privacyIDEA is now available via the Python Package Index and in the community repositories for Ubuntu 22.04 and 24.04.

Kassel, 9 September 2025 – IT security company NetKnights has released version 3.12 of its open-source multi-factor authentication solution privacyIDEA. The new version integrates a user resolver for Entra ID and Keycloak. For the first time, users can get a preview of the fundamentally redesigned WebUI. Enhanced smartphone container functions enable efficient token management.

User Resolver for Entra ID and Keycloak

privacyIDEA 3.12 introduces user resolvers for Entra ID and Keycloak. Administrators can retrieve user data directly from these directory services and assign tokens to them in privacyIDEA. This enables seamless token management, even in hybrid infrastructures consisting of on-premises and cloud environments.

Preview of modernised WebUI

The privacyIDEA user interface is being extensively modernised and will be available from version 3.13 . Version 3.12 offers a preview function of the new WebUI for user self-service and the administrator view. This provides a preview of the improved token overview, which allows tokens to be managed more efficiently. Users can test the new interface and provide feedback; based on this, the new WebUI’s user-friendliness will be further refined.

Enhanced Smartphone Container Functions

The smartphone container functions were expanded in version 3.12. Containers can be rolled out during authentication. Additionally, smartphone containers can be rolled out using the password of the user store as a registration code – in combination with the Authenticator app from version 4.6.0 onwards. This secures the rollout process without requiring an additional password.

Policy and Condition Improvements

Numerous improvements have been made to existing policies to enable more precise configuration. In addition, new conditions have been added and their handling has been refined.

Version 3.12 of privacyIDEA lays a modernised, future-oriented foundation for upcoming releases and prepares the software both technically and conceptually for the next development steps.

All other changes are listed in detail in the Changelog on GitHub. At this point, all components of privacyIDEA are also being further developed as open source software under the AGPLv3 under the leadership of NetKnights GmbH.

Availability

The new version 3.12 of privacyIDEA is now available via the Python Package Index and in the community repositories for Ubuntu 22.04 and 24.04.

About privacyIDEA

privacyIDEA is an open source multi-client and multi-instance capable system for multi-factor authentication. The development is made transparently on Github. Installations and updates are easily possible via the Python Package Index or via repositories for Ubuntu. A few weeks after the respective community major release, NetKnights GmbH publishes an enterprise release for Ubuntu LTS and RHEL/CentOS.

Extended container functions, passkeys as new token type & RSS-Newsfeed

The IT security company NetKnights releases version 3.11 of the professional multi-factor authentication software privacyIDEA. Extended container functions for the smartphone enable efficient synchronization and management of tokens. Passkeys are available as a new authentication method. An RSS newsfeed has also been introduced to inform administrators about updates, patches and events.

New functions for token containers

Version 3.11 of privacyIDEA offers new functions for the smartphone as a token container, which simplify the management of tokens. For scenarios such as the change to a new smartphone or the loss of a device, privacyIDEA now offers a container rollover. This allows an administrator to create a rollover QR code for an old container. If the user scans the QR code with the new device, the tokens are automatically transferred.
It is also possible to register containers with the server and roll out the defined tokens to the smartphone in a single step. As soon as the container is registered, the administrator can add and delete tokens. It is also possible to delete and block token containers completely.

Passkeys as a new token type

A new feature of version 3.11 of privacyIDEA is the introduction of passkeys as a token type. Passkeys are cryptographic key pairs that are stored locally on the device. They are resistant to a wide variety of phishing attacks, which increases user security. Users benefit from a simplified login process as they can authenticate themselves without having to enter a user name. Passkeys also enable seamless integration across different devices, increasing flexibility for the user.

Introduction of an RSS newsfeed

An RSS newsfeed has been integrated into the privacyIDEA user interface. Administrators can subscribe to this newsfeed and find out about updates, patches or webinars.

All other changes are listed in detail in the Changelog on GitHub. At this point, all components of privacyIDEA are also being further developed as open source software under the AGPLv3 under the leadership of NetKnights GmbH.

Availability

The new version 3.11 of privacyIDEA is now available via the Python Package Index and in the community repositories for Ubuntu 20.04, 22.04 and 24.04.

About privacyIDEA

privacyIDEA is an open source multi-client and multi-instance capable system for multi-factor authentication. The development is made transparently on Github. Installations and updates are easily possible via the Python Package Index or via repositories for Ubuntu. A few weeks after the respective community major release, NetKnights GmbH publishes an enterprise release for Ubuntu LTS and RHEL/CentOS.

Further information on the latest developments relating to privacyIDEA can be found at https://netknights.it/en/news/.

Token organization in container, WebAuthn Offline and extendes PUSH-Login available

The IT security company NetKnights has released version 3.10 of the professional multi-factor authentication software privacyIDEA. The organization of tokens in containers enables user-friendly and clear token management. As a new authentication method, WebAuthn can now also be used offline in version 3.10. Furthermore, authentication using PUSH tokens has been extended. The new version is now available via the Python Package Index and in the community repositories for Ubuntu 20.04 and 22.04.

Support of WebAuthn Offline Token

A new feature is the support of WebAuthn tokens for offline authentication. With the implementation of WebAuthn offline tokens, users can authenticate themselves securely independently of their location, e.g. with their laptop while on the train. The tokens can be used offline across devices, whereby the functionality of the tokens is maintained in the same way in online mode. This contributes to seamless integration into existing IT security structures and optimizes user flexibility.

Token Management through containers

In version 3.10 of privacyIDEA, users can organize their authentication tokens in containers. These offer a clear method for organizing and managing tokens. This new function allows users to structure their tokens according to different characteristics and group them together in a container. For example, it is possible to organize professional and private tokens separately or to combine tokens for certain applications in one container. The containers thus help to create a clearer structure and make it easier to manage the tokens.

Authentication via PUSH token has been extended in version 3.10 of privacyIDEA. A letter or number is displayed in privacyIDEA during authentication using a PUSH token. At the same time, a selection of different letters or numbers appears in the Authenticator app. The correct answer must then be selected for successful authentication. This additional security measure is optional and can also be applied to existing PUSH tokens.

All further changes are listed in detail in the changelog on GitHub. At this point, all components of privacyIDEA are also being further developed as open source software under the AGPLv3 under the leadership of NetKnights GmbH.

Availability

The new version 3.10 of privacyIDEA is now available via the Python Package Index and in the community repositories for Ubuntu 20.04 and 22.04. In addition, NetKnights GmbH offers the Enterprise Edition with support for Ubuntu LTS, RHEL 8 and 9 as well as derivatives and an appliance tool and carries out contract development for special requirements.

About privacyIDEA

privacyIDEA is an open source multi-client and multi-instance capable system for multi-factor authentication. It is developed transparently on Github. Installations and updates are easily possible via the Python Package Index or via repositories for Ubuntu. A few weeks after the respective community major release, NetKnights GmbH publishes a stable enterprise release for Ubuntu LTS and RHEL/CentOS.

We are pleased to be able to release privacyIDEA 3.9. This release is an example of how privacyIDEA is ment to centrally manage all you authentication in one place – since successful authentication is a matter of smooth workflows.

privacyIDEA aims to be a management system where the administrator can easily manage the authentication topic for the users. You as an administrator can manage the OTP tokens (TOTP, HOTP apps, Yubikeys), tokentype like SMS or Email, even FIDO2. All you need for two factor authentication.

And privacyIDEA is able to also verify the first factor. The static password.

Old authentication – new token types

But sometimes you might see, that two factor authentication does not work out as expected. That applications do not play well with FIDO2/WebAuthn. Yes, sometimes applications do not play well even with OTP tokens. Take an Email client, that caches the user password and sends it, every time it fetches the emails from the server. The request will fail if it is sent with the same OTP value a second time.

Successful Authentication is not always a matter of choose the most modern cryptographic algorithm or the latest authentication method.

Sometimes there is an old, nasty application that refuses to work well with the 2FA method you are enrolling in your company. But privacyIDEA wants to help you as administrator to manage all these challenges in one system.

With privacyIDEA 3.9 we introduce two new token types which might sound old and insecure, but which are supposed to enable you to take a step forward, even if some old applications want to hold you back.

The application specific password token is simply a static password that can be bound to a specific application. The old application will send an authentication request against privacyIDEA and privacyIDEA will realize, that this auth request originated from this application and allow such application specific password tokens enrolled for this application to be used for authentication. A user can have a specific password for e.g. his email client, save this in his smartphone and privacyIDEA will accept this only for login requests by this email client resp. mail server.
You may check the conceptual evolution of this feature on Github.

The day password token is a similar quirky thing. In certain situations having an OTP token that changes all 30 seconds or 60 seconds may be to changeable for some users or use cases. But using no second factor and relying on a never changing static password is also not an option.

Why not have a token, that can be used for one hour? Or one day? The day password token in privacyIDEA 3.9 is a token type with a variable time window between one second and many days. During this time window the given code is valid during the whole time window and can be used as often as needed. It is similar to TOTP (in fact it is inherited from the TOTP token class), but has the above mentioned special effects.

This token type has its counter part in the privacyIDEA Authenticator App, which you can find in the Google Play Store and Apple App Store. The day password token is supported in the privacyIDEA Authenticator App starting with version 4.2.

Improving SSH Key Management

Managing SSH keys has been a bit cumbersome in the past. You as the administrator had to assign each SSH server to the SSH key, so that the user could use the SSH key to log to this server.

With privacyIDEA 3.9 you can now define service identifiers, which represent the servers. E.g. you could define an identifier “web servers” and assign SSH keys to this identifier.

Now you can simply have the SSH server identify as “web servers” to allow the login with this SSH key. This way it is easy as configuring the corresponding server, to add a new SSH server to the “web servers”.

The helper script privacyidea-authorizedkeys, which is supposed to run on the SSH servers has been modified so that it queires privacyIDEA for the corresponding service identifier.

Changelog

A new event handler can set the application assignment during enrollment. This helps with definding HOTP tokens as Offline-Tokens for the privacyIDEA Credential Provider. The PUSH token can do a decline, so that the authentication process is cancelled.

You can find the complete changelog at Github.

Install and Update

You can download and update privacyIDEA 3.9 via the community repositories for Ubuntu 20.04LTS and Ubuntu 22.04LTS or via the Python Package Index.

If you want to get involved, you can join the discussion at the Forum or coding at Github.

We are happy to inform you, that we released privacyIDEA 3.8 today. 3.8 is an important milestone, since we start to support the Yubikey as a smartcard, that can also be used to login to Windows domains.

Support for smartcard login on Windows systems

privacyIDEA 3.8 can manage the Yubikey as a smartcard that holds a smartcard logon certificate. To obtain the smartcard logon certificate, the privacyIDEA server has a new certificate connector to communicate to all Microsoft Active Directory Certiticate Services in the connected Windows domain.

Thus the certificate on the Yubikey can directly be obtained from the Micrsoft CA but be managed within privacyIDEA.

Rollout during authentication

privacyIDEA supports Multi-Challenge-Response for a while. This mechanism can be used to reset an OTP PIN or authenticate with 4-eyes tokens or index-secret tokens.

In version 3.8 this same mechanism can now be used to enroll a token during authentication. The administrator can define a policy, which token type should be enrolled by the user. In several challenge-response steps thus the user can enroll HOTP, TOTP, email, SMS or PUSH tokens. Email and SMS tokens can even be enrolled in standard applications like the Netscaler.

HOTP, TOTP and PUSH enrollment require the application to display a QR code. This mechanism will be supported by all privacyIDEA plugins for e.g. Keycloak, simpleSAMLphp or ADFS.

Fast login, fast debugging, token groups

Using a new “preferred client mode” the administrator can define, which should be the preferred way for a user to authenticate, in case the user has more than one token type.

The audit log has been greatly improved for bug tracking. It now also records the thread ID of an API request.
Since the threat ID is also contained in the debug log file, this is a great handle to find the relevant detailed information to a specific request in the logs.

privacyIDEA 3.8 comes with the new conecpt of “token groups”. We plan to use this to improve SSH key management and the management of offline tokens.

For more details see the changelog at Github.

Install or Update

You can download and update privacyIDEA 3.8 via the community repositories for Ubuntu 18.04, 20.04 and now also 22.04 or via the python package index.

If you are not using your own source code but use the precompiled privacyIDEA Authenticator released by the company NetKnights, this has the following meaning for you.

Breaking Change in Push-Functionality

In order to increase the stability of the push functionality and the reliability of the delivery of the push messages, we decided to revise the configuration of the Firebase project. As of version 4.0, the app works with a central Firebase project that is managed by NetKnights.

That means your privacyIDEA server will no longer be able to notify the push tokens in the app version 4.0 via the Firebase project you have configure individually. To enable the new and more stable notification feature, you either need to recompile the App or get a subscription from NetKnights to gain access to the central Firebase project.

However, you can also use the precompiled and released Authenticator App without the need for a Firebase project.

Using Push-Token without Firebase project

In this scenario you will use the Push-Poll functionality, where the Authenticator polls the challenges from the privacyIDEA server. Users will have to have the privacyIDEA Authenticator App in the foreground to receive messages.

You need to proceed as follows.

1. Update the privacyIDEA server to version 3.7.1. This will ensure a flawless polling functionality
2. If not yet configured, create a policy in scope “Authentication” with the setting “push_allow_polling” = “allow”.
3. If not yet configured, create a policy in scope “Enrollment” with the setting “push_firebase_configuration” = “poll only”.
4. If you already have a “push_firebase_configuration” policy, change it to “poll only”.
5. To receive the Push notification, the user must open the privacyIDEA Authenticator. The notifications will be polled or the user can actively poll the notifications by swiping downwards.
6. The configuration of the Firebase project in your privacyIDEA server can be deleted.

We take great pleasure in releasing privacyIDEA 3.7 today. It has been a long way since version 3.6. We implemented a lot of fixes and smaller but interesting enhancements. However, the most interesting new features are probably the redesign of the offline-token, a token verification during enrollment and a new supported way for encrypting the sensive data in privacyIDEA with a hardware security module.

Hardware Security Modules

Hardware Security Modules (HSMs) are expensive. Especially if you need a network attached HSM that provides the necessary performance to encrypt the OTP seed for each authentication request. This is the way how privacyIDEA currently supported HSMs. It is secure – but it is slow (unless you have the right hardware) and costly.

In privacyIDEA 3.7 we provide a new security module with a different approach. The idea was born in discussing security and speed with an enterprise community member.

The new security module encryptkey.py still holds the encryption keys in a keyfile. But this keyfile again is encypted with an assymmetric key on an HSM. The keyfile is decrypted by the HSM on startup and then the encryption keys from the keyfile are stored in memory. This way the slow HSM operation will only occur when starting or restarting the web server process. This allows you to use much cheaper HSMs or even Smartcards to protect your key material.

Still – you should be familiar with smartcards or HSMs and know what you are doing, to avoid wrecking your senstive data.

Offline Token

privacyIDEA allows clients like the privacyIDEA Credential Provider to fetch offline information to allow a user to login with a specific HOTP token, even if the privacyIDEA server can not be reached. However, this was always bound to the IP address of the client machine.

We removed the IP binding and redesigned the process. This way it is now much easier and more robust to use an HOTP token for offline authentication at your Windows notebook.

Verify Enrollment

When enrolling a smartphone HOTP or TOTP token, the user needs to scan a QR code that was generated by privacyIDEA. Only after scanning this QR code with a authenticator smartphone app, the token is technically enrolled on the user side. Administrators reported that sometimes some users forgot to scan the QR code. Thus privacyIDEA deemed the token as enrolled, while nothing existed on the user’s smartphone.

With 3.7 the administrator can now force the user to enter a valid OTP value during the enrollment process. This way the user is required to scan the QR code to be able to provide the valid OTP value. Only then privacyIDEA deems the token as successfully enrolled.

Further Enhancements

There are a lot of further enhancements.

Policies can now also use web server environment variables as conditions.

In version 3.6 custom user attributes have been introduced. In 3.7 the administrator can now define event handlers to set or delete custom user attributes. This way, you could e.g. set an attribute to a user as soon as the user enrolls a certain token type. Then you could have authentication policies, that take this token type as a condition, only allowing those users to do certain things.

Possibilities are many. We do not know them all! Find yours!

You can find the complete changelog at Github.

If you are running privacyIDEA in mission critical environments, the company NetKnights which staffs the core developers, also provides services and support.

If you want to get involved with privacyIDEA you can also visit the community forum.

We are proud to release the privacyIDEA simpleSAMLphp Plugin 2.1. We added a new feature, that allows the administrator to configure real Single Sign-On or secure 2FA requirement.

In Single Sign-On mode, the user is asked for the second factor only once. In the secure 2FA requirement, the user is required to provide his second factor for each application where he wants to log in.

The administrator can configure this behavirour in the config file with the parameter “SSO”.

The new version of the privacyIDEA simpleSAMLphp plugin is available via Github. You can download the code there and add it to your installation.

We are proud to present you privacyIDEA 3.6. Administrators and Users can manage custom user attributes. These additional attributes can overwrite and enrich the existing user attributes, which privacyIDEA reads from the user stores. This way the token administrator in privacyIDEA has additional possibilities to manage the users and to manage the user rights. These user attributes can be used within privacyIDEA policies. In addition policies can now also contain any token attribute like tokentype or fail counter. These attributes and policy conditions help administrators to keep control in larger setups by logically grouping users and tokens.

Policies with Custom User Attributes and Token Attributes

privacyIDEA is no Identity Management. Users are usually managed in an IdM, or only in LDAP or Active Directory. Nevertheless it can be important to add attributes to users – in case the token administrator has no access rights to the IdM or user directory. The administrator can now do so in privacyIDEA 3.6 using custom user attributes. The administrator can even allow users to manage their own attributes. This way the user can e.g. update his mobile number himself, without the need to contact the help desk or the administrator.

Based on these user attributes the administrator can now define policies and thus the access rights can be tuned in more detail.

In addition policies can now have conditions on each and every token attribute like description, serial, tokentype, otp length, maximum failcounter, failcounter, active state and more.

This way the administrator could allow helpdesk users to only delete tokens, that have previously been disabled by the user himself. Possibilities are endless.

Simple PUSH Token

Starting with privacyIDEA 3.0 we introduced the PUSH token. If everything works out fine, the PUSH token can work like a charm. But setting it up is quite complicated. Also the Push services by Google and Apple actually do not work that reliably. With privacyIDEA 3.6 the administrator can now configure the PUSH token to only work in a polling method. In this scenario no external 3rd party service is needed and the user’s smartphone only communicates with the privacyIDEA server.

By giving up some comfort such a setup can gain stability and improve the privacy aspect.

Token Rollover

The administrator can now configure a WebUI policy to allow users to roll over their tokens. This means that the key material is generated anew and the user can enroll the token again, e.g. by scanning a new QR code. This comes in handy, if the user is only allowed to have one token, but wants to move his token to a new smartphone or if the company decides to increase the key size of the tokens.

Enhancements

Besides these main features there are a lot of enhancements. The administrator can use pi-manage to export and import the system configuration. This can be used to move configuration from testing environments to productive environments. You can have different PIN policies for different tokentypes.

In pi.cfg the system administrator can define a custom entry point for the WebUI. This way you can create your complete own WebUI without changing anything in the code.

The token janitor received several improvements. It can export arbitrary user attributes, the seed can either be exported in hex or base32 to increase the interoperability with other MFA systems. The token export can now also contain the user assignment. This way tokens can easily be transferred between different privacyIDEA installations.

You can find the complete Changelog at Github.

Availability

You can download privacyIDEA 3.6 from Github or install it from the Python Package Index. For easy deployment you can use the community repositories for Ubuntu 16.04, 18.04 and 20.04. You can find the installation guidline in the online documentation. If you are updating, it is crucial to read the READ_BEFORE_UPDATE, which contains important information about LDAP resolvers and TLS.

If you want to get involved, be sure to drop by at the community forum. You can also take a look at Weblate, were the community can translate to different languages. We are grateful for the community effort to be able to ship translations in Dutch and French!

For mission critical scenarios the company NetKnights provides an Enterprise Edition with Support.