20. December 2022

Multi-factor authentication privacyIDEA version 3.8 released

Smartcard login with Yubikey and transparent rollout to all applications

Kassel 20.12.2022 – The IT security company NetKnights releases version 3.8 of the professional multi-factor authentication software privacyIDEA. The new version allows users to log on to Windows systems using the Yubikey as a smart card. A flexible rollout mechanism allows certain token types to be rolled out at the application itself, eliminating the need for the administrator to redirect users to the self-service portal for rollout. A new “preferred_client_mode” allows the user to save time during the login process due to a reasonable preselection by the administrator. The new version is now available via the Python Package Index and in the community repositories for Ubuntu 18.04, 20.04 and now also 22.04.

Support for smartcard login on Windows systems

Windows operating systems support logon with a smartcard logon certificate and smartcard for a long time. All the user has to do is remember the smartcard PIN and insert the smartcard when logging in. This eliminates the need for complex, constantly changing domain passwords.
However, a third-party system is always required to manage such smartcards in a Windows domain.
Therefore, starting with version 3.8, privacyIDEA now offers the possibility to use Yubikeys as smartcards for passwordless logon (two factors: smartcard and PIN) to Windows systems. For this purpose, the privacyIDEA server can now communicate with a domain-integrated Microsoft Active Directory Certificate Service and store the issued smartcard logon certificates to Yubikeys.

The privacyIDEA Server can request certificates from an Active Directory Certificate Service an store the certificates to a Yubikey. Thus a smartcard base authentication to Windows systems is possible.

Rollout during authentication

Introducing multi-factor authentication in larger environments always brings the challenge of a sensible rollout process. privacyIDEA already offers many different options so that companies and organizations can optimize the rollout process to their needs.
With version 3.8 administrators now get a new, additional tool.
Using the challenge-response process, users can roll out their second factor right at the moment when they log in. This works completely transparently for the application to which the user logs on. The administrator can use policies to control whether a user must roll out a HOTP, TOTP, SMS, email or PUSH token. I n doing so, the user may have already authenticated with a possibly weaker second factor in the first step and now roll out a new, stronger second factor during login.
Since this happens at the application itself, it is not necessary to direct the user to the self-service portal.
SMS and email tokens can even be rolled out within standard applications like Citrix Netscaler. The privacyIDEA developers will transparently support the rollout of HOTP/TOTP tokens and PUSH tokens in all plugins that exist e.g. for ownCloud, Keycloak, ADFS.

Via Multi-Challenge-Response the administrator can control that users have to enroll their second factor during the authenentication process. The privacyIDEA Server supports HOTP, TOTP, SMS, E-Mail and PUSH for this way of enrollment. Token types like SMS and email can even be enrolled in native 3rd party applications like Citrix ADC.

Fast login, fast debugging, token groups

With version 3.8, the administrator can define a policy in privacyIDEA that transmits the preferred client mode to plugins. I f a user has several different tokens (e.g. email token, PUSH token, TOTP token), then the administrator can use this policy to define which login method the user should prefer to use. This way the user can save time as he does not have to select the login method during login.
The audit log in privacyIDEA records every API request to the system. Administrators and helpdesk staff can thus check the behavior of the system and find errors of the system or user errors. In the new version, privacyIDEA now also records the thread ID of the request. This makes it quick and easy to extract even more information about the request in question from the detailed log file.

Using the Thread ID in the Audit log support or helpdesk users can easily find the relevant location in the log file to investigate and solve errors in more detail.

In privacyIDEA 3.8, the administrator can now combine tokens into arbitrary groups. This is a basic function that the privacyIDEA developers plan to use in the future, for example to improve SSH key management or to simplify the management of offline tokens.
You can find all changes in detail in the changelog on GitHub. At Github, all components of privacyIDEA are also being further developed as open source software under AGPLv3 under the leadership of NetKnights GmbH.


The new version 3.8 of privacyIDEA is now available via the Python Package Index as well as in the community repositories for Ubuntu 18.04, 20.04 and 22.04. Additionally, NetKnights GmbH offers the Enterprise Edition with support for Ubuntu LTS, RHEL/CentOS and an appliance tool and performs custom development for special requirements.

About privacyIDEA

privacyIDEA is an open source multi-client and multi-instance capable system for multi-factor authentication. The development is done transparently at Github. The administrator can easily install or update the system via the Python Package Index or Ubuntu repositories. A few weeks after the community major version is released, NetKnights will also release a stable enterprise version for Ubuntu LTS and RHEL/CentOS.
You can get more informatino about development and news at the NetKnights Blog.

Latest press releases

privacyIDEA releases privacyIDEA PAM and privacyIDEA Shibboleth Plugin

NetKnights GmbH provides interested users with the privacyIDEA Pluggable-Authentication-Module (PAM) for Linux in beta version and the privacyIDEA Shibboleth Plugin in version 1.0.0. While the privacyIDEA PAM enables multi-factor authentication on Linux systems, the privacyIDEA Shibboleth Plugin extends the privacyIDEA SSO Plugin family.

Multi-factor authentication privacy IDEA version 3.9 is released

The IT security company NetKnights has released version 3.9 of the professional multi-factor authentication software privacyIDEA. The new token types daily password and application-specific password enable administrators to manage authentication to old applications centrally in privacyIDEA, even in heterogeneous environments.


Drücken Sie "Enter" zum Starten der Suche


Press "Enter" to start the search