Entries by Cornelius Kölbel

privacyIDEA Authenticator App with Push for iOS

In combination with privacyIDEA 3.1, the privacyIDEA Authenticator App supports the authentication by using a Push-Token.

The Push-Token

When logging on to e.g. a website, the privacyIDEA backend sends a  cryptographically secured challenge to the user’s smartphone.
The user simply has to confirm the login request on his smartphone. In the background, the smartphone then signs the challenges and sends it back to privacyIDEA. The signature ensures that really this very user has  confirmed the login request.

The user is logged in automatically.

The privacyIDEA Authenticator on iOS

The privacyIDEA Authenticator with the Push functionality is now available for iOS in the Apple App Store.

In addition the privacyIDEA Backend supports a lot of different token types like software-tokens and hardware-tokens, Yubikeys, Nitrokeys and other possibilities. If you want to secure your login in your company with a 2nd factor, please get in touch!

privacyIDEA Enterprise Edition 3.1.1 available

Last week the version 3.1.1 of privacyIDEA was released.
Compared to version 3.1 it fixes a problem in the audit log that the serial numbers
the token was not saved to the audit log.

privacyIDEA 3.1.1 is available via the usual repositories, in the Python Package Index and in the community repositories for Ubuntu.

For enterprise customers privacyIDEA 3.1.1 is also available in the enterprise repositories for Ubuntu,
CentOS/Red Hat Enterprise Linux and the Univention Corporate Server.

You can get more information about the privacyIDEA Enterprise Edition.

, ,

privacyIDEA 3.1 released

NetKnights improves adjustability

Kassel, September 4th 2019. The open source security specialist NetKnights has updated and significantly enhanced its multi-factor authentication software “privacyIDEA”. The new version offers more flexibility to define the rights of users – and administrators – more granularly. The migration of proprietary and legacy systems is significantly simplified.

With the version 3.1 of privacyIDEA it is possible to bind the guidelines for user rights to any user parameters, for example LDAP attributes. In addition, an automatic reassignment of already used tokens eases the migration of other 2FA systems once again significantly. The “old” token PIN of a user can also be automatically adopted without the intervention of the IT department.

More flexibility in the definition of policies

With privacyIDEA, the administrator can now define policies dependent on any attributes. Which attributes these are is defined in extensible modules; in version 3.1 the user module is included. That means, the administrator does not have to bind the policies as before to a complete user source, but can generate a different behavior within a user source and/or user group dependent on the respective LDAP attribute of a user by the policies. For example, a company can enforce that users with access to more sensitive data can only log on with a secure token type, or that users who do not have an e-mail address, for example, are denied certain functions.

At the same time, the new privacyIDEA further expands the separation of special read rights for administrators. The policies can be used to define which administrators or helpdesk staff are allowed to read some configurations or not. The administrators’ read rights on tokens have also been refined. They only have access to the keys assigned to them. This makes it even easier to map client scenarios.

Easier migration through automatic token assignment

privacyIDEA allows a smooth migration of proprietary legacy or 2FA systems. This is relevant when manufacturers stop the development of proprietary systems (“end-of-life”) or products no longer meet the requirements of users.

After the seed files of the old system tokens have been imported into privacyIDEA, the system can immediately assign the tokens to the user in privcayIDEA during the login attempt. At the same time privacyIDEA can set the old Token PIN automatically, without an employee from the IT or the user having to become active for this.

Many additional extensions

The RADIUS Token now supports Challenge-Response. The push token functionality has been enhanced. For example, an authentication request can wait with the response until the push message is confirmed. This facilitates the integration of the privacyIDEA push token into third-party products.

The TiQR token has been extended by several functions that make it more convenient to use. The function of the TiQR token is comparable to that of a push token. However, the challenge is not sent via the push service of a third-party manufacturer, but via a QR code that the user scans. 

The administrator can define a welcome message for the users in the privacyIDEA graphical user interface in order to guide new users better through the rollout process.

Email notifications can now include a variety of new placeholders to better customize the message to the situation. 

The privacyIDEA server can force a token in the privacyIDEA Authenticator App to be protected with a PIN.

Event handler events can now also be connected to the WebUI login.


A complete list of the changes can be found in the changelog at Github.



privacyIDEA 3.1 is now available via the public repositories for Ubuntu 16.04 and 18.04. The software can also be installed on any distribution using the Python Package Index.

Consolidation of the market and migrations

IT security is on everyone’s lips today. But everyone understands something different about it: Pen-tests; secure coding or exploits; antivirus, antispam; data protection; still firewalls; security consulting; identity management; authentication. The subject of IT security is a broad spectrum. And that’s why everyone is also concerned with “IT security”. We deal with the special field of secure or strong authentication – multi-factor authentication.

The status quo of proprietary software and the market

IT security companies are often very specialized and therefore rather small companies. A few years ago this was even more true. Many important players in the market had fewer than a few hundred employees worldwide.

But because everyone was talking about IT security, the topic and thus these companies also became more attractive for larger companies and the merry-go-round of mergers and acquisitions picked up speed. Who still does know  Safeword Tokens? Secure Computing, Aladdin, SafeNet, Gemalto, Thales gave and give themselves a lively change of company names and product labels. Aladdin, SafeNet and Gemalto once had their own smartcard products and portfolios. These have now finally merged into Gemalto. 

In a merger, the company also grows its product portfolio. It is like after Christmas – new toys are coming, old ones have to leave the children’s room! And like this the grown company will also clean up its product portfolio. Products like SafeWord 2008, SAM Express and this year SafeNet Authentication Manager (the OTP part) will go end-of-life.

Death in a proprietary world

In the case of proprietary software, end-of-life often means the end of the software. If the manufacturer has licensed the software on a per-user basis, it is not possible for you as a customer to purchase even one additional user license for this software after End-of-Life! If you want to roll out second factors for new users in your company after the End-of-Life, then this is no longer possible. You have only licensed 1000 users? The 1000-and-first user can no longer receive a 2FA token in the old system! License exceeded!

Not only because of the missing support and the missing further development – No, even because of the missing functionality you are forced to migrate away from your existing system.

Manufacturers often offer supposedly attractive migration paths to the other proprietary product in their portfolio. But you know that migrations are expensive and time-consuming.

Pain point: Multi-Factor-Authentication

The migration of a multi-factor system comes with unwanted pain factors. Two-factor authentication usually means the combination of knowledge and some ownership. The ownership factor (Hardware token or a registered smartphone app…) is bound to the backend and simultaneously distributed to the user. Distributed in the field. Worldwide.

In extreme cases, the migration of an ownership factor can mean that the ownership factors distributed out there have to be collected and new ownership factors distributed.

Depending on the number of users, the structure of your company, the workflow of the users, this can be a lengthy, expensive and painful process – even if the new product comes from the same vendor. (It doesn’t come from the same manufacturer, but only from the same portfolio after the merger!)


Our employees have been working in the field of two-factor or multi-factor authentication since 2004 and therefore understand the pain of our customers. We have integrated this experience into privacyIDEA.

Already for some time privacyIDEA provides you with a smooth migration. Without any time pressure you run privacyIDEA and your old software in parallel, without the user having to notice anything about it. Step by step you roll out new tokens within privacyIDEA.

With the upcoming version 3.1 it will also be possible to import the seeds of old, existing tokens into privacyIDEA and automatically assign the tokens to the users and set the old token PIN automatically. No need to re-enroll tokens. Nothing to do for the users, minimal effort for the IT.

Many customers, such as Klinikum Hanau, already rely on privacyIDEA and have successfully migrated to privacyIDEA.

Look at the future

And if you want to migrate away from privacyIDEA? Why?

privacyIDEA is Open Source. With privacyIDEA you never meet the fate that you cannot roll out the 1000-and-first user. privacyIDEA is running. Will be running. Forever.

Invest in your future! Invest in Open Source! Invest in privacyIDEA!

, ,

NetKnights presents Two-Factor solution privacyIDEA at business fair it-sa

NetKnights will again be exhibiting at the business fair it-sa in Nuremberg this year.

From October 8th to 10th 2019, the who-is-who of German and international IT security providers will meet at the Nuremberg Exhibition Centre. Visitors will have the opportunity to get first-hand information about innovations and roadmaps of the security products.

NetKnights will be co-exhibiting with ownCloud in Hall 10.0, Stand 412. There we will present the multi-factor authentication system privacyIDEA, which can extend ownCloud in corporate environments by various second factors and thus reliably protect your business-critical data. Once rolled out in your company, privacyIDEA also allows secure login to other web applications, remote login, VPN, desktops and terminal servers…

Drop us a note and set up a meeting to discuss, how privacyIDEA can help to increase logon security in your network.

, ,

NetKnights presents privacyIDEA at the ownCloud Conference

In September the anual ownCloud Conference is held in Nuremberg, Germany. There companies that use ownCloud, developers from the community or ownCloud partners meet to hear about new developments and plans and to exchange their experiences.

ownCloud is an important partner to NetKnights. The privacyIDEA ownCloud Plugin is a stable software, which allows to enhance ownCloud with many different types of two factor authentication. A lot of companies and customers are using this privacyIDEA component, to protect the web access to their ownCloud installation.

Talk and stand

NetKnights will have a stand, a demo point where you can take a look at ownCloud in combination with privacyIDEA, check the different two factor mechnisms and ask us all your questions about 2FA with ownCloud.

We will also present new features like authenticating at ownCloud with the new privacyIDEA Push Token. In this case, after the user has authenticated with his username and password at the ownCloud Web UI, he gets a notification on his smartphone, which he simply has to confirm and then he will be logged in.


Cornelius Kölbel will also give a talk about this topic on September 18th. And he will also show, how the Push Token mechanism can be combined with any other two factor authentication mechanism in privacyIDEA like HOTP, TOTP, Yubikey, Email, SMS…



Ask us, if you already have questions upfront or if you want to make up an appointment at the ownCloud Conference.


Multi factor authentication system privacyIDEA at the Texas Linuxfest

privacyIDEA will be present at the Texas LinuxFest in Dallas on May 31st and June 1st.

Cornelius Kölbel will conduct a workshow in which participants will install the multi-factor authentication system privacyIDEA in an existing network, read users from an AD, assign tokens and extend access to ownCloud, NGinX or SSH to include two-factor authentication. Single Sign On is an important mechanism for making users’ lives easier. But protecting this single login is all the more important. Protect SSO with a second factor. The workshop will look at two-factor authentication with privacyIDEA on Keycloak or simpleSAMLphp.

The next day, Cornelius Kölbel will give a talk on how companies and larger user groups can easily migrate an existing 2FA solution to privacyIDEA.

If you are interested in these topics, please do not hesitate to contact us.

privacyIDEA Enterprise Edition 3.0.1 released

Today the privacyIDEA Enterprise Edition 3.0.1 was published. It is the stable bug-fixing release for our enterprise customers which fixes problems from version 3.0.

Push Token

For the new push token function, errors have been fixed and operability has been improved.

  • Add logic checking to setup of PUSH token (#1592)
  • Remove double enrollment notification of PUSH token in WebUI (#1598)
  • Fix to allow spaces in Firebase configuration (#1599)
  • Add support for iOS Firebase configuration (#1608)
  • Fix to allow PUSH token enrollment, even with Label-policy (#1589)
  • Fix to mark PUSH token challenge answered in the database (#1584)

(The numbers in brackets indicate the Github-Issues)

Stable Enterpsie Edition

In addition, the following issues have been fixed or functionality has been improved:

  • Fix the validity period of the registration token (#1587)
  • Beautify the vertical alignment in the Web UI top menu (#1559)
  • Fix user cache configuration read – defaults to 0 (#1596)
  • Remove links in audit log for normal users (#1497)
  • Check UI rights for user resolvers (#1496)
  • Fix placeholder in realm dropdown in login dialog (#1498)
  • Fix enckey creation in Python 3 (#1594)
  • Allow the usage if “browserLanguage” in custom templates (#1620)
  • Open all accordions when searching for policy action (#1558)
  • Fix to hide support links also in menu (#1626)

Secure your network

Version 3.0.1 is publicly available and can be easily installed via the Python Package Index or via repositories for Ubuntu 16.04LTS and 18.04LTS.

Our enterprise customers have been informed about the updates. They also have a repository for Red Hat Enterprise Linux 7 and an appliance application at their disposal. If you are interested in the Enterprise Edition, click here to learn more.

If you want to stay up to date, please subscribe to our newsletter.