privacyIDEA 2.6 released. TiQR, 4-Eyes and Challenge Response

Image by SurfNet BV

Today privacyIDEA version 2.6 was released. This release eases the way of authentication by providing a new token TiQR. The TiQR token is based on the OCRA protocol, which is a challenge response protocol, that can be used to authenticate or to sign transaction data.

The TiQR token is a smartphone app. Authentication is as easy as scanning a QR code.

Furthermore you can now login to the privacyIDEA Web UI using challenge response. Each token, that supports challenge response, can be used to authenticate at the Web UI. This can be simple HOTP or TOTP tokens but also tokens like SMS or Email. Of course authenticating with the new TiQR token is also possible. See this screencast to get an idea of the smooth authentication.

Another interesting new feature is the 4-eyes token. This token is a meta token, that bundles two existing hardware token to one. This way you can require a two man rule for certain sensitive accounts. It was already introduced in this blog post.

This is the complete changelog:


  • Add OCRA base TiQR token to authenticate by scanning a QR code.
  • Add Challenge Response authentication to Web UI.
  • Add 4-Eyes token, to enable two man policy. Two tokens of two users are needed to authenticate.
  • “Revoke Token” lets you perform special action on token types. Tokens can be revoke, meaning they are blocked an can not be unblocked anymore.


  • Add HA information in the documentation.
  • Add OpenVPN documentation.
  • Add challenge response policy, to define if e.g. HOTP or TOTP are allowed to be used in challenge response mode.
  • Add hotkeys for easier use of Web Ui.
  • Remove wrong system wide PassOnNoUser and PassOnNoToken.
  • Set default language to “en” in Web UI.


  • Fix LDAP bug #179, which allows authentication with wrong password under certain conditions.
  • Small fixes in coverage tests.
  • Fix username in web UI during enrollment.
  • Fix link to privacyIDEA logo in Web UI.
  • Fixed bug, that user was not able to resync his own tokens.

Leave a comment