If a company or an organization wants to provide two factor authentication for thousands of users they are faced with totally new challenges.

Users will not come to the administrators desk. The administrator will not enroll a hardware token or initialize the user’s smartphone with the Google Authenticator on a per user basis. There are so many users, that the administrators or helpdesk users do not even know all the end users anymore. There must be a solution, that the enrollment process itself hands the authentication object to the user and ensures the identity of the user – preferably automatically!

Users might be spread over cities, countries – worldwide. They are ordinary end users and often not computer savvy. The rollout and the usage of two factor authentication should bother neither the end user nor the IT department too much.

Read more

privacyIDEA Authenticator Smartphone App

The smartphone is our daily tool and the digital copy of our own identity. This is not the place to discuss the social implications. We just state the fact.

The Smartphone as the second factor

Due to this fact many organisations and companies like to use smartphones for a security improved authentication process. The smartphone is “always” with the user and is the device, that is accepted by the user. Using applications like Google Authenticator the smartphone is supposed to become the second factor for authentication. Although the smartphone is obviously not as secure as a dedicated hardware token, the privacyIDEA Authentication System has supported smartphones as  a possible second factor right from the start.

But taking a look at a smartphone app like the Google Authenticator there are some security issues. We discussed this in detail in a previous blog post. The problems with the rollout process using the Key URI defined for the Google Authenticator, finally made us develop our own privacyIDEA Authenticator. As an Open Source company we use the Github-Repository to transparently develop the privacyIDEA Authenticator app.

Secure enrollment

The first and most important feature from the long feature list is securing the enrollment process. To do so, the privacyIDEA Authenticator allows to generate one key component on the smartphone itself and another key component on the privacyIDEA Server. The final OTP seed / key is generated from both components.

This way we avoid the easy cloning of the secret OTP seed during the enrollment process. By cloning the OTP seed users were easily able to create undistinguishable copies of the OTP token and thus making the smartphone as a second factor to identify the user useless. Using the privacyIDEA Authenticator you will be able to leave this problem behind.

Beta testing

The privacyIDEA Authenticator app is backward compatible with Google Authenticator and FreeOTP. Its full potential will be unleashed with the privacyIDEA Server starting with version 2.21. Starting with this version the mentioned two-step-enrollment is supported.

The privacyIDEA Authenticator app is available in a controlled beta state. privacyIDEA 2.21 will be available this month. Using the Python Package Index or the developer PPA repository for Ubuntu 14.04LTS or 16.04LTS you can already install the release candidate of the server.

Install using the Python Package Indes:

pip install privacyidea==2.21dev2

Or install using the PPA respository:

add-apt-repository ppa:privacyidea/privacyidea-dev

You can get more information about the installation in the online documentation.

If you want to test the privacyIDEA Authenticator app you are welcome to drop us a note. We will add you to the beta test. You have the possibility to influence the development of the app. The privacyIDEA Authenticator is currently available for Android. The installation during the beta tests is done via the Google play store. Thus you do not need to change any settings of your smartphone.

Get in touch to be part of the beta test!

Today we released privacyIDEA 2.19. Packages are available in the Launchpad-Repos for Ubuntu 14.04LTS and 16.04LTS. You can also install privacyIDEA on any Linux distribution using the python package index.

New Features in privacyIDEA

Authentication performance

privacyIDEA 2.19 is up to 72% faster!

In tests in the lab privacyIDEA 2.19 shows improved performance. Authentication requests are up to 72% faster than in the previous version. This is also due to a new generic user cache. This user cache stores the link between login name and user object in the local SQL database. Thus time consuming requests to the originial user store like LDAP servers or Active Directory get obsolete.

Filter U2F devices for the users

Using policies the administrator can define which type of U2F device the user is allowed to register. In further policies the administrator can also define, which U2F types the users can use to authenticate at certain applications. This way the usage of certain U2F devices can be denied in your company or certain devices from specific vendors can be required for login to sensitive systems.

Secure smartphone apps with privacyIDEA

The classical smartphone app enrollment comes with several problems, which privacyIDEA 2.19 can solve.

In a previous blog post we already pointed out the limitations of the usual smartphone enrollment with the Google Authenticator.  As a company or large organization you want to keep control over the enrollment processes of your users. Thus in version 2.19 of privacyIDEA a better rollout possibility was added. The smartphone and the privacyIDEA server do a mutual key generation. Both create a component, the secret key is generated from both components. This avoids easy copying of the QR-Codes.

Read more details in the privacyIDEA Blog.

More functions

Version 2.19 comes with further detail improvements like using the IP address or the browser user agent in the event handler framework. The date and timeformat was consolidated. Now the complete ISO date with timezone is saved to the database. This heavily eases working across timezones in international setups.

You may want to take a look at the complete Changelog.

Enterprise Edition and Consultancy

NetKnights provides consulting and support with the privacyIDEA Enterprise Edition. Using Open Source you optimize your total cost of ownership this way, that there are no external limitations which dictate how long or short your may use the software. Getting the privacyIDEA Enterprise Edition including an SLA you get the warranty and thus operating safety.


You want to stay tuned? Please subscribe to our newsletter!

You want to test the system yourself? Register for a test instance!

You want to know more? Get in touch!


The Raspberry PI can act as a great enrollment station for Yubikey and Nitrokey.

Using the Yubikey and the Nitrokey with privacyIDEA is great. With the privacyIDEA admin client you can initialize the secret seeeds on both devices and thus achieving the highest trust with privacyIDEA. The vendor does not generate the seeds anymore – you do.

But to initializes these devices you need some drivers on your system. This is why it can be a good idea to set up a dedicated enrollment station. This integration guide takes you through the steps of setting up a Raspberry PI 3B as enrollment station. Thanks to the form factor this enrollment station looks like a simple smartcard reader on your desk. You connect it the LAN and power and you are done.

You connect with SSH (e.g. via putty or any other SSH client) to the enrollment station and issue a single command to initialize the tokens.

Putting Ubuntu 16.04 on the Raspberry PI

We are choosing Ubuntu 16.04 since it comes with the correct versions of all necessary drivers. Ubuntu Mate is available as 16.04 for the Raspberry PI 3.

You need to download the image and write it to the SD card. Please see the notes on the Ubuntu Mate page on how to do this on either Linux oder Windows.

After writing the SD card, insert the SD card in the Raspberry PI, connect power, monitor, keyboard and mouse and boot into the system.

Preparing for Yubikey

Install the follogin packages to be able to enroll the Yubikey.

apt-get install yubikey-personalization python-sqlite python-requests \
                python-usb python-cffi python-enum python-yubico libykpers-1-1

Preparing for Nitrokey

The Nitrokey driver is not contained in the Ubuntu repositories. But you need to install the following prerequisites:

apt-get install libhidapi-dev git

You need to use the Nitrokey library available at github:

git clone
git checkout v1.0
make CXX=g++

After the successfull build, simple copy the nitrokey library to a system directory.

cp build/ /usr/lib

Install privacyIDEA admin client

You need the privacyIDEA admin client to enroll the Yubikey and Nitrokey.

add-apt-repository ppa:privacyidea/privacyidea
apt-get update
apt-get install privacyideaadm

Enrolling Tokens

To enroll Yubikeys you can now issue the command

privacyidea -U https://your.privacyidea.server --admin super token yubikey_mass_enroll

while “super” being the name of your administrator. If you do not have a trusted certificate during your tests, you might use the option “–nosslcheck”.

This command will enroll the connected Yubikey and ask you to insert the next Yubikey. It will initialize Yubikeys and create new token objects in privacyIDEA until you hit Ctrl-C to exit the program.

To enroll Nitrokeys you can run the command

privacyidea -U https://your.privacyidea.server --admin super token nitrokey_mass_enroll

Ease your life

You will login to the enrollment station via SSH when you mass enroll tokens. You may find it tedious to enter all the parameters. Thus you can use a configuration file for the admin client. Create a file “yubikey” with all the parameters as content:


and now you can easily enroll tokens with the command

privacyidea @yubikey

The “@yubikey” will read the parameters from the file “yubikey”. In the same way you can create a file for enrolling Nitrokeys.

If you need to deploy a huge number of OTP tokens to your end users, this is often a tricky challenge. The two factor authentication with these enrolled tokens may only be as secure as the enrollment process itself. Often a simple password is not enough to let the user enroll or assign a token as second factor. If an attacker gets hold on the users password, the attacker easily can enroll a token for himself also getting access with two factors.

In this case the user has to be identified securely with an additional step. Sending a postal letter with a registration code may help. Thus the user can only enroll a two-factor OTP token, if he knows the password and has phyiscal access to the letter box where he will find the registration code.

privacyIDEA provides the possibility to use such a registration code enabling you to secure the automated deployment process with a huge number of users.

Watch this video on YouTube.

NetKnights helps you planning your authentication infrastructure and designing workflows, that fit your requirements.