Migrating a proprietary OTP / two factor solution

Easy migration of an existing OTP system to privacyIDEA

Often customers decide to switch their existing, proprietary OTP / two factor authentication system. They do it for several reasons. The existing system is to old and they get no useful updates anymore. Often the existing system is not flexible enough. The tokens, which run with this system, do not comply with the todays requirements. Companies merge and each company comes with its own proprietary authentication system. Sometimes the existing system is simply to expensive. And sometimes the customer prefers to use a transparent open source solution due to the increasing problems in trust and survailance.

These are reasons, why customers decide to use privacyIDEA.

Today privacyIDEA provides several possibilities to perform such a smooth migration. E.g. the RADIUS token. But starting with privacyIDEA version 2.11 there will be an even simpler migration scenario. privacyIDEA 2.11 will be released on March, 18th. If you want to stay tuned, please subscribe to our newsletter.

Centrally defined RADIUS servers

With privacyIDEA 2.11 you get the possibility to centrally define RADIUS servers. This is similar to the possibility to define SMTP servers centrally, which was introduced in privacyIDEA 2.10.

Centrally defined RADIUS server "RSA SecurID"

Centrally defined RADIUS server “RSA SecurID”

These RADIUS server definitions now can be used within RADIUS tokens or policies!

Up to privacyIDEA 2.10 each user had to get his own RADIUS token. Such a RADIUS token points to the RADIUS server of the obsolete OTP system. As long as the user has no real OTP token within privacyIDEA, the user will be authenticated against the obsolete OTP system.

One policy for all users

Starting with version 2.11 you now can define a privacyIDEA policy based on this centrally defined RADIUS server.


The centrally defined RADIUS server “RSA SecurID” is used in the passthru-policy.

To do this, the existing passthru-policy was enhanced. The passthru policy fires, if a user has no token assigned within privacyIDEA. With the passthru-policy the authentication request is forwarded to the LDAP or AD or — new in version 2.11 — to a centrally defined RADIUS server.

This means, that you only need to define one single policy to start a smooth migration from your old OTP system to privacyIDEA. You can then enroll new tokens to the users within privacyIDEA step by step without a hurry or without doing a hard switch!


The scenario described in this post works flawlessly with all systems, that use a RADIUS server. Including systems like Kobil, RSA SecurID, SafeNet, Vasco (in alphabetical order).

Just ask us!