Kassel, 9 September 2025 – IT security company NetKnights has released version 3.12 of its open-source multi-factor authentication solution privacyIDEA. The new version integrates a user resolver for Entra ID and Keycloak. For the first time, users can get a preview of the fundamentally redesigned WebUI. Enhanced smartphone container functions enable efficient token management.

User Resolver for Entra ID and Keycloak

privacyIDEA 3.12 introduces user resolvers for Entra ID and Keycloak. Administrators can retrieve user data directly from these directory services and assign tokens to them in privacyIDEA. This enables seamless token management, even in hybrid infrastructures consisting of on-premises and cloud environments.

Preview of modernised WebUI

The privacyIDEA user interface is being extensively modernised and will be available from version 3.13 . Version 3.12 offers a preview function of the new WebUI for user self-service and the administrator view. This provides a preview of the improved token overview, which allows tokens to be managed more efficiently. Users can test the new interface and provide feedback; based on this, the new WebUI’s user-friendliness will be further refined.

Enhanced Smartphone Container Functions

The smartphone container functions were expanded in version 3.12. Containers can be rolled out during authentication. Additionally, smartphone containers can be rolled out using the password of the user store as a registration code – in combination with the Authenticator app from version 4.6.0 onwards. This secures the rollout process without requiring an additional password.

Policy and Condition Improvements

Numerous improvements have been made to existing policies to enable more precise configuration. In addition, new conditions have been added and their handling has been refined.

Version 3.12 of privacyIDEA lays a modernised, future-oriented foundation for upcoming releases and prepares the software both technically and conceptually for the next development steps.

All other changes are listed in detail in the Changelog on GitHub. At this point, all components of privacyIDEA are also being further developed as open source software under the AGPLv3 under the leadership of NetKnights GmbH.

Availability

The new version 3.12 of privacyIDEA is now available via the Python Package Index and in the community repositories for Ubuntu 22.04 and 24.04.

About privacyIDEA

privacyIDEA is an open source multi-client and multi-instance capable system for multi-factor authentication. The development is made transparently on Github. Installations and updates are easily possible via the Python Package Index or via repositories for Ubuntu. A few weeks after the respective community major release, NetKnights GmbH publishes an enterprise release for Ubuntu LTS and RHEL/CentOS.

privacyIDEA is an authentication system that should suite your needs.

So it makes sense, that we ask you, what you need! Of course there is the community forum and the github repository, where you could write questions and issues. I know that it is sometimes easier to click answers.

This is why we started a privacyIDEA User Survey.

Thanks a lot for your Feedback!

Need for Speed

privacyIDEA is used in quite some big setups. So in this release we also had the focus on speed! With different actions we were able to reduce the time needed for one authentication request by up to 72%! (According to our lab environment – other numbers may differ)

So how did we manage this?

Many setups run their users in an LDAP directory or Microsoft Active Directory. As privacyIDEA does not store users but only references to user objects in user directories, we need to find the user object, when a user enters a login name. Thus, during authentication some LDAP requests are involved to resolve the login name to this user reference. We manage to optimize our LDAP calls, which resulted in a speed up of 57% in comparison to privacyIDEA 2.18.

The User Cache

But still privacyIDEA has to query the LDAP server. There can be setups, where the connection to the LDAP server is rather slow, since it is located behind a VPN connection. So we added a user cache in privacyIDEA 2.19. The user cache stores the login name and reference to user object in the local SQL database. Thus, once a user is know, there is no need for a further LDAP call.

In our lab environment we measured a further speed up of 33%, if the user cache is used with LDAP users. This effect could be even better, if you are running a slow LDAP connection!

U2F

privacyIDEA comes with two new policies for enrollment and for authentication.

The administrator can define a regular expression to restrict the types of U2F devices, that may be enrolled or used for authentication. This way a company may restrict the usage of U2F devices to one of a specific vendor. Or certain resources may only be accessed with some special U2F devices.

Secure Smartphones Apps

To use the Smartphone as your authentication device is a very common scenario nowadays. Everyone is taking care for his smartphone and is carrying it along. But as stated in the NetKnights blog post, the enrollment process most of the time is not that secure. The Key URI in the QR Code introduced with the Google Authenticator and used by many smartphone apps out there, contains the secret key.

privacyIDEA comes with a new integrated mutual key enrollment which makes implementing smartphone apps with a secure key enrollment much simpler. The privacyIDEA server and the smartphone app both create one component. The actual key is generated from these two components. Thus the secret key can not be easily copied and shared between several smartphones.

Further enhancements

There are many other enhancements. The time format was improved by adding a timezone. Policies and Eventhandler had some improvements like being able to set the Client IP or the User Agent in the tokeninfo fields.

The full Changelog can be found here.

Today I want to give you an idea about the current development in privacyIDEA. You may like privacyIDEA because it is probably the most flexible and extensible multi factor authentication system due to its sophisticated policies and event handler framework.

But I just pushed a small enhancement in regards to the policies, which my ease your life. You are now able to not only define policies based on realms, resolvers and list of users, but you may also use regular expressions for the users in policies. This will be part of privacyIDEA 2.18 which is scheduled for midth of March 2017.

This way you do not need to rely on the user realms and user resolvers. You can also specify, that a certain policy should be bound to all users matching customer_.* or admin_.*.

This can help to ease things, since you do not need to split up a realm into many resolvers.

Tell us, what you like. Join the Google Group, post your issues at Github or subscribe to the Youtube Channel.

privacyIDEA provides the possibility to verify credentials that arrive via a REST API. You can attach arbitrary applications to privacyIDEA. But this could also result in arbitrary data being sent. This is why we just pushed a new feature for the next release 2.5 of privacyIDEA.

Authentication Data Mangling

Just like many other features this can be configured flexibly via an authentication policy. The Authentication Data Mangling allows you to modify incoming authentication data, before these data are processed by privacyIDEA. Thus you can modify the username, the password or the realm sent in the authentication request.

Imagine a system, that sends malformed usernames. You can strip all whitespaces or only use a certain part of the sent username to find the user within privacyIDEA. You can use regular expressions to transform the sent username into a the username to be found in privacyIDEA.

You can also do funny things by modifying the password. A policy action like:

mangle=pass/.*(.{6})$/otppin\\1/

will only use the last 6 characters of the sent password (probably the OTP value) and put the fixed string “otppin” in front of it. Ok – no matter which OTP PIN the user enters, the authentication request will always use “otppin”.

Or you could change the order of OTP PIN and OTP values like this:

mangle=pass/(.*)(.{6})$/\\2\\1/

As you can also define these mangling-policies for certain clients, you can define – for which reason ever – clients where the <OTP PIN>+<OTP Value> are to be entered and other clients with <OTP value>+<OTP PIN>.

Authentication Data Mangling seems a mighty and flexible feature to me. I can not see all possible use cases, yet. So tell us what you think!

I used to host privacyIDEA on freecode.com as a platform to promote the project. Hm, what is the use of such a platform if it is readable but not searchable and sortable? The search engines will not have my project hits sort by relevance or activity.

Today I realize, that the dead decays faster than I though it would. Today you won’t even get the stylesheets on freecode any more. Looks kind of funny:

Honestly I am really sad. I started to use freshmeat about 14 years ago and I liked it a lot.

But we need to look forward – not backward – so I added privacyIDEA on sourceforge.