privacyIDEA Credential Provider Version 3.0 available

As of today the new version 3.0 of the privacyIDEA Credential Provider is available. The privacyIDEA Credential Provider allows users to securely log on to a Windows desktop or terminal server with a second factor. The user can use a smartphone app, a one-time password token, Yubikeys or Nitrokeys. Alternatively, the authentication backend sends the user an email or SMS with a one-time code for the login.

Neu in Version 3.0

The Credential Provider was completely revised in version 3.0 in C++. The new code structure now allows easier customization and faster release cycles.

In version 3.0 the following functions have been added:

Easy Push Authentication

Since version 3, the privacyIDEA backend supports authentication via push tokens, where the user only has to confirm the login by clicking on his smartphone. Now the push authentication is also seamlessly integrated in the credential provider for logging on to the Windows Desktop.

Realm-Mapping for complex scenarios

If users need to log on to multiple domains or multiple realms are managed in privacyIDEA, this is no longer a problem with the new credential provider. In the new version, the administrator can define a flexible mapping from Windows domains to privacyIDEA realms.

Offline: Failsafe and mobile users

The privacyIDEA Credential Provider now supports logon with HOTP tokens when the privacyIDEA server is not reachable. This is useful if the user wants to log on to his notebook with a smartphone HOTP token or with a Yubikey while on the road.

In order to be able to deal with network failures in critical scenarios, the administrator can now also define a privileged account with which the user can log on without authentication against privacyIDEA.


The privacyIDEA Credential Provider is available for download for registered customers. Interested users can evaluate the software in an extensive test phase. Please contact us to obtain a demo version.

About the privacyIDEA Credential Provider

The Credential Provider is installed on Windows client or server systems. During logon, it asks the user for a second factor in addition to the Windows password.

The authentication is carried out against the privacyIDEA backend, in which the administrator manages all user tokens at a central location on Premises.

The administrator can completely customize the appearance of the privacyIDEA Credential Provider to the corporate design. Logos and texts can be adapted according to the corporate design.
The privacyIDEA Credential Provider integrates seamlessly into the existing Windows landscape. It supports Network Level Authentication (NLA), User Access Control (UAC) and Over-The-Shoulder (OTS). The password can be changed both during logon and while unlocking a session.
privacyIDEA Credential Provider is available as a signed MSI package. Companies can thus easily install the software on Windows 8, Windows 10, Server 2012, 2016 and 2019 via their preferred software distribution system.
By authenticating against the privacyIDEA backend, which is available under an open source license and is also operated in the company’s own network, companies not only have freedom of choice when it comes to using the second factors, but also have full control over the entire logon process at all times.

Kassel, April 6th, 2020 – Open source security specialist NetKnights has released a new version of its multi-factor authentication software privacyIDEA. The new version allows organizations to centrally manage users’ WebAuthn tokens in privacyIDEA, making modern authentication technologies available to the enterprise. A new event handler module will also allow individual connection to central logging systems such as Logstash or Splunk. privacyIDEA 3.3 is now available via the Python Package Index and in repositories for Ubuntu LTS.

WebAuthn as a new authentication method

An important new feature in privacyIDEA 3.3 is support for the WebAuthn protocol. This has been specified by the World Wide Web Consortium (W3C) as a global standard for web-based authentication. privacyIDEA is thus future-proof and will continue to offer the highest flexibility in the selection of modern authentication devices from the Yubikey security token to fingerprints on a smartphone and crypto chips in notebooks.

Users of privacyIDEA can thus achieve a step-by-step modernization of their two-factor authentication by using “old” methods such as SMS, OTP hardware tokens or smartphone apps in parallel with modern methods such as Yubikey, U2F or even WebAuthn, and by gradually replacing them.

Event Handler sends information to Log systems

A great strength of privacyIDEA are the event handlers, with which the administrator can link new actions to events. Version 3.3 offers a new event handler module to forward messages to a central logging system on an event-driven basis. This allows the administrator to store freely definable log information locally and to send it to central logging services for further processing. The developers present the integration using Logstash as an example in the privacyIDEA Community Blog.

New token type for individual rollout scenarios

The IndexedSecret Token is a special type of token that allows users to log on based on existing secret information. This can be particularly useful in complex rollout scenarios.


The developers have also optimized and extended the WebUI in several places. The detail view of the policies has been revised to make complex definitions clearer for the administrator. The administrator can now distinguish more precisely between the authorizations of individual administrative users. This is especially useful in larger installations with many administrators or helpdesk employees.

A complete list of changes can be found in the changelog at Github.


The new version 3.3 of privacyIDEA is now available in the community repositories for Ubuntu 16.04 and 18.04. In addition, NetKnights GmbH offers an Enterprise Edition with support for Ubuntu LTS and RHEL/CentOS and performs custom development for special usage scenarios.


Visit our Blog.

Subscribe to our newsletter.

Read the release article at

Kassel, December 2nd, 2019. The open source security specialist NetKnights has released a new version of the multi-factor authentication software “privacyIDEA”. It offers new possibilities to adapt the authentication system by flexible configuration and to integrate it into one’s own workflows.

With version 3.2 of privacyIDEA, the administrator receives two new event handler modules to define rules that can modify both HTTP requests and HTTP responses of the REST API as required. This allows workflows to be highly customized. It is now possible to easily forward audit information to external log management tools such as Splunk or Logstash and process it there. The authentication at the REST-API has been extended so that a robust integration into any other application can be implemented.

privacyIDEA is now available via the Python Package Index and in repositories for Ubuntu LTS.

Two new Event-Handler-Modules improve flexibility

Up to now, the event handler framework had token, script, federation, and statistics handlers in addition to notifications. The request handler and the response handler are now two additional, very flexible modules. These enable the administrator to define rules that change parameters of REST request to privacyIDEA and also the values in the response at will, depending on definable conditions.

The behavior of privacyIDEA can thus be adapted extremely flexibly. Closest application cases are, for example, the secure resetting of passwords, special rollout scenarios or individual authentication rules. The system can thus be adapted to different user requirements and the behaviour and fit into already existing processes.

Audit-Data at your fingertip

privacyIDEA writes log data: Who did what, how and when – including success or failure and additional information – into an internal, structured SQL audit module. From version 3.2 the administrator can also facilitate a file audit module. Its entries can now be easily imported into any log management system such as Splunk or Logstash. This enables companies to correlate events – also from privacyIDEA – and to identify and process problems more easily.

Integrate any privacyIDEA function into your own portals

Via the REST-API privacyIDEA can already be integrated into the portals of a user, for example into a browser-based self-service or internal, existing management portal.

This has become considerably easier with version 3.2 through the use of trusted JSON Web Tokens in privacyIDEA. Any token management function can also be integrated into other applications, which should be particularly interesting for in-house developments. However, it remains the responsibility of the privacyIDEA administrator to grant or withdraw all rights centrally in privacyIDEA.

Many further enhancements

Also the policies, which generally control the behavior of privacyIDEA, were extended. The administrator can now use any HTTP header as a condition for the respective policy.

Event handlers can also use the requesting HTTP client or the rollout state of a token as a condition.

In addition to notification by e-mail and SMS, the notification handler now also contains the option of simply writing messages to files in a spool directory.

The behavior of the PUSH token has also been improved. The authentication process is now designed to integrate more easily with other applications.

In total there were more than 25 extensions and six bug fixes. A complete list of the changes can be found in the changelog at Github.

Install or update privacyIDEA

privacyIDEA 3.2 is now available via the public repositories for Ubuntu 16.04 and 18.04. The software can also be installed on any distribution via the Python Package Index. Enterprise releases for Ubuntu LTS and RHEL/CentOS will follow shortly.

Visit our Blog.

Abonnieren Sie unseren Newsletter.

Lesen Sie die Mitteilung auf

NetKnights improves adjustability

Kassel, September 4th 2019. The open source security specialist NetKnights has updated and significantly enhanced its multi-factor authentication software “privacyIDEA”. The new version offers more flexibility to define the rights of users – and administrators – more granularly. The migration of proprietary and legacy systems is significantly simplified.

With the version 3.1 of privacyIDEA it is possible to bind the guidelines for user rights to any user parameters, for example LDAP attributes. In addition, an automatic reassignment of already used tokens eases the migration of other 2FA systems once again significantly. The “old” token PIN of a user can also be automatically adopted without the intervention of the IT department.

More flexibility in the definition of policies

With privacyIDEA, the administrator can now define policies dependent on any attributes. Which attributes these are is defined in extensible modules; in version 3.1 the user module is included. That means, the administrator does not have to bind the policies as before to a complete user source, but can generate a different behavior within a user source and/or user group dependent on the respective LDAP attribute of a user by the policies. For example, a company can enforce that users with access to more sensitive data can only log on with a secure token type, or that users who do not have an e-mail address, for example, are denied certain functions.

At the same time, the new privacyIDEA further expands the separation of special read rights for administrators. The policies can be used to define which administrators or helpdesk staff are allowed to read some configurations or not. The administrators’ read rights on tokens have also been refined. They only have access to the keys assigned to them. This makes it even easier to map client scenarios.

Easier migration through automatic token assignment

privacyIDEA allows a smooth migration of proprietary legacy or 2FA systems. This is relevant when manufacturers stop the development of proprietary systems (“end-of-life”) or products no longer meet the requirements of users.

After the seed files of the old system tokens have been imported into privacyIDEA, the system can immediately assign the tokens to the user in privcayIDEA during the login attempt. At the same time privacyIDEA can set the old Token PIN automatically, without an employee from the IT or the user having to become active for this.

Many additional extensions

The RADIUS Token now supports Challenge-Response. The push token functionality has been enhanced. For example, an authentication request can wait with the response until the push message is confirmed. This facilitates the integration of the privacyIDEA push token into third-party products.

The TiQR token has been extended by several functions that make it more convenient to use. The function of the TiQR token is comparable to that of a push token. However, the challenge is not sent via the push service of a third-party manufacturer, but via a QR code that the user scans. 

The administrator can define a welcome message for the users in the privacyIDEA graphical user interface in order to guide new users better through the rollout process.

Email notifications can now include a variety of new placeholders to better customize the message to the situation. 

The privacyIDEA server can force a token in the privacyIDEA Authenticator App to be protected with a PIN.

Event handler events can now also be connected to the WebUI login.


A complete list of the changes can be found in the changelog at Github.



privacyIDEA 3.1 is now available via the public repositories for Ubuntu 16.04 and 18.04. The software can also be installed on any distribution using the Python Package Index.

Secure and trunstworthy authentication at Windows Desktop and Terminal Server

Today we release the version 2.5 of the privacyIDEA Credential Provider. The privacyIDEA Credential Provider requires a user to login to the Windows desktop or terminal server using a 2nd factor. The user could use his smartphone with a smartphone app, a one time password token, a Yubikey or Nitrokey to authenticate. As an alternative the authentication backend can also send an Email or text message, containing a one time code, to the user for login.

The authentication is done against the privacyIDEA authentication system. The administrator can manage and control all authentication devices in this very central location in the own company network.

Authentication under your control

The administrator can adapt the look and feel of the privacyIDEA Credential Provider according to the corporate design. Logos and text can be adapted to fit the authentication policies in your company.

The Credential Provider integrates seemlessly into an existing Windows network. It supports Network Level Authentication (NLA), User Access Control (UAC) and Over-The-Shoulder (OTS). The user can change his domain password during the login process and also during unlocking a locked desktop session.

privacyIDEA Credential Provider comes as an MSI package. Thus it can easily be enrolled using the preferred software deployment system and be installed on Windows 8, Windows 10, Server 2012 and 2016.

By authenticating against the privacyIDEA backend you get the free choice of which user should use which authentication device. Thus you gain the full control of the authentication processes in your organization.

New in der Version 2.5

The core new feature in version 2.5 is a challenge response authentication. This allows the user to also use one time codes sent via Email or SMS to authenticate to the Windows machine.

The privacyIDEA Credential Provider is available for download for registered customers. If you are interested in testing the software you can get a demo copy for an excessive test in your environment.

Kassel, September, 26th 2017. The World Wide Web Consortium (W3C) is implementing privacyIDEA for securing access to their infrastructure with a second factor. The privacyIDEA Authentication System was chosen due to its flexible nature and the possibility to allow a single sign on experience for the users.

The services and especially the users are distributed world wide. Shipping authentication devices centrally is not efficient. Allowing only one type of authentication object is not an option. For W3C this is a big advantage that privacyIDEA can manage many different token type of different vendors at the same time. The lean REST API allows easy integration into their own user portal. W3C connected privacyIDEA to their existing user management. Users will be able to choose if they want to self-enroll Smartphone-Applications or U2F devices. Depending on the device type users gain access to resources of different security levels.

“Working with NetKnights is very effective. They provide just the right amount of consultancy for us to be able to implement the open source software privacyIDEA into our network and in our workflows.” said Ted Guild, Head of W3C Systems. Cornelius Kölbel, CEO at NetKnights, added: “W3C stands for Web standards. So we are very happy that W3C chose privacyIDEA, as this is an open solution, which complies to an open development workflow and open standards.”

About the World Wide Web Consortium (W3C)

The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C standards HTML5 and CSS are the foundational technologies upon which all Web sites are built. For its work to make online videos more accessible with captions and subtitles, W3C received a 2016 Emmy Award.

W3C’s vision for “One Web” brings together thousands of dedicated technologists representing more than 400 member organizations and dozens of industry sectors. Organizationally, W3C is jointly run by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China.

For more information see

About NetKnights and privacyIDEA

NetKnights GmbH is located in Kassel, Germany. It is an independent IT Security firm, providing services and products in the fields of strong authentication, identity management and encryption. NetKnights employs the core developers of the modular authentication system privacyIDEA.

privacyIDEA is open source software and thus has not vendor defined end of life. Customers can own their privacyIDEA installation and use it without restrictions. NetKnights provides different subscription and support levels of privacyIDEA Enterprise Edition to meet the requirements of companies.

From October 10th-12th NetKnights presents privacyIDEA at the IT security fair it-sa in Nuremberg, Germany, at stand 10.1-208.