privacyIDEA 3.3 Released

WebAuthn token support, event-based logging and more

privacyIDEA 3.3 is out. The new version introduces a new Event Handler Module to enable custom event-driven logging. Also new in 3.3 is the support of WebAuthn tokens which come to privacyIDEA initially as a second-factor for WebUI login.


Everybody speaks about WebAuthn becoming the global standard for web-based authentication to overcome phishing and man-in-the-middle attack scenarios. Indeed, WebAuthn, as specified by the W3C, is a very flexible JavaScript-based API for user authentication. It is the successor of the U2F standard of the FIDO alliance and is, like its predecessor, phishing-resistant by using public-private key encryption in a TLS-secured challenge-response communication. However, WebAuthn has a far more general scope, as it is designed to work not only with U2F tokens but also with any other hardware which supports the API interface. WebAuthn will greatly extend the set of usable token devices e.g. to hardware crypto-chips which can be unlocked by a fingerprint-scanner. For the end user, this example case will result in a unique authentication experience with the fingerprint as apparent key-device. During the authentication process, the browser acts as relay between the WebAuthn security device (authenticator) and the service (relying party).

WebAuthn comes to privacyIDEA

privacyIDEA initially implements WebAuthn to support WebAuthn/FIDO2 Hardware Token as second factors. You can configure privacyIDEA as your relying party, enroll WebAuthn Tokens with privacyIDEA and use them as a second factor to login to the WebUI. The following gallery shows the enrollment process.

However, this is pretty much it for the moment since WebAuthn requires both service and client to support it properly. As the privacyIDEA server integrates with other services like simpleSAMLphp, Keycloak, Owncloud and others via plugins, those represent the client side. The following steps will therefore be to update the plugins accordingly. With the well-documented WebAuthn API flavored with coding examples, this is a fairly straightforward task (it still requires time). Everyone is invited to speed-up the process by contributing on Github. NetKnights, the company driving the development of privacyIDEA on Github, plans on developing an SDK to help plugin developers to integrate privacyIDEA with their favorite applications.

Log Freely

Already since privacyIDEA version 2.12, the event handler supports user notifications sent by email or SMS, triggered by custom events. privacyIDEA 3.2 introduced the ContainerAudit module to support multiple logging targets which enabled the default SQLAudit and other logging modules to receive logged messages. This might be used to integrate privacyIDEA logging with central logging systems like Logstash ans Splunk.

The new version 3.3 builds on this basis and pushes forward towards a completely customizable logging. The new event handler module Logging basically implements a UserNotification which is not sent via external service but to the Python logging facility instead. As all Event Handlers in privacyIDEA, it can be bound to any event with all the usual possibilities to configure further constraints. The custom log messages support the variables known from the UserNotification handler to provide the administrator with maximum flexibility. The privacyIDEA advanced logging is configured via a configuration file. Starting with version 3.3, privacyIDEA supports both YAML and INI format for the logging configuration file. This new event handler offers great flexibility since not only what is logged can be configured to your needs but also where to. The logging name can be customized, which enables an easy separation of different types of information.

Tell me your index: the Indexed Secret Token

privacyIDEA comes with a new token type, called Indexed Secret. This challenge response token was requested to realize a second factor using already known shared secrets between an organization and its employees. The secret is stored in privacyIDEA for every user and during login a challenge is presented, asking the user e.g. for the 1st and 4th character in his secret. For the secret “Secret”, the user would have to answer by typing “Sr”.

The secret may also be preset with user attributes from the userstore. However, note that using the phone numbers of your employees represent a weak second factor attribute. The potential of this token is to support complex rollout scenarios to provide every user with a unique second factor, right from the start.

Administer Transparently

Previously the admin user for whom an admin policy should be in place could be specified in privacyIDEA. This could be for example a policy to allow enabling and disabling of tokens but not the deletion. The new version adds the possibility to add specific users that are to be managed by this policy. This helps a lot in the delegation of user management and segmentation of your administrative tasks.

There are now separate fields for the admin user and the user himself in the admin policy creation dialog.

The complete changelog can be found at Github.

Start your independence now

privacyIDEA is the flexible open-source multi-factor-authentication solution which runs on-premises. It is hosted on Github and can be run and extended by anyone free-of-charge. But it also comes without any warranty. NetKnights provides professional support for enterprise customers in three different levels. Open-source means for privacyIDEA, that you will always be able to run it, without the fear of an end-of-life scenario. You can also participate in the development, reporting bugs, suggesting features or create pull requests to have your own code included on Github. You can discuss about privacyIDEA and share your use case in the privacyIDEA community.

privacyIDEA 3.3 can be installed from the Github sources, from the Python Package index at or with the community packages for Ubuntu 16.04 LTS and 18.04 LTS. NetKnights will also offer packages for CentOS/RHEL in the privacyIDEA Enterprise Edition.