Kassel, 07.04.2026 – The latest version 3.13 of multi-factor authentication software privacyIDEA is available. The most significant new feature is the expanded support for passkeys. As a result, users can now register passkeys on Windows and Linux. Support for the RADIUS protocol has been improved for the push token. Visually, the new WebUI is now available as a beta version.

Passkey registration during sign-in with offline functionality

With version 3.13, users in Windows and Linux environments can register a passkey directly during the login process. This passkey is then available for offline authentication on the corresponding device. Administrators can control this process specifically through policies. The advantage lies in a significantly simplified rollout process: Neither administrators nor help desk users need to be actively involved in the deployment process. This makes the introduction of new tokens less subject to errors and requires less support, while offering greater comfort for users.

Push authentication with code-based authentication for RADIUS

A new policy improves the use of push tokens in RADIUS-based scenarios such as VPNs or firewalls. The user confirms the login on their smartphone and then enters a numeric code displayed in the app into the login screen. This ensures that the user is directly involved in the login process. At the same time, the authentication is cryptographically secured and offers a significant security advantage over TOTP-based methods.

Beta version of the new WebUI is now available

The modernized user interface of privacyIDEA is now available in its full functionality as a beta version. In addition to the existing self-service area, it also includes the administrator view. In version 3.13, however, the previous WebUI remains the default interface. Users can test the new user interface and provide feedback. In version 3.14, the new WebUI will then be activated as the default interface.

All other changes are listed in detail in the changelog on GitHub. All components of privacyIDEA are also being further developed there under the leadership of NetKnights GmbH as open-source software under the AGPLv3.

Availability

The new version 3.13 of privacyIDEA is now available via the Python Package Index and in the community repositories for Ubuntu 22.04 and 24.04.

Therefore, we invite you to attend the following online webinar:

“Offline Authentication with privacyIDEA” on April 9, 2026

In these free online event, we will show you how you can use privacyIDEA for offline authentication.

In addition, Cornelius Kölbel, Founder of privacyIDEA with more than 25 years of experience in the field of multi-factor authentication, will answer your questions.

Take advantage of this opportunity to gain new insights for your authentication project and get answers to your questions!

Dates & Time

• Offline Authentication with privacyIDEA (09.04.2026, 5:00 pm – 5:45 pm CEST)

Secure your spot and learn more about MFA with privacyIDEA!

Registration via: https://netknights.it/en/privacyidea-webinar-anmeldung/

Therefore, we invite you to attend the following online webinars:

“privacyIDEA as a replacement for DUO and Okta” on March 12 and “Management of SSH Keys with privacyIDEA” on March 24.

In these free online events, we will show you how you can use privacyIDEA to design your authentication processes flexibly, securely, and independently.

In addition, Cornelius Kölbel, Founder of privacyIDEA with more than 25 years of experience in the field of multi-factor authentication, will answer your questions.

Take advantage of this opportunity to gain new insights for your authentication project and get answers to your questions!

Dates & Time

• privacyIDEA as a Replacement for DUO and Okta (12.03.2026, 5:00 pm – 5:45 pm CET)
• SSH Key Management with privacyIDEA (24.03.2026, 5:00 pm – 5:45 pm CET)

Secure your spot and learn more about MFA with privacyIDEA!

Registration via: https://netknights.it/en/privacyidea-webinar-anmeldung/

Therefore, we invite you to attend our free online webinars:

“Central MFA with privacyIDEA” on February 10 and “privacyIDEA Basics” on February 26.

In these free online events, we will show you how you can use privacyIDEA to design your authentication processes flexibly, securely, and independently.

In addition, Cornelius Kölbel, Founder of privacyIDEA with more than 20 years of experience in the field of multi-factor authentication, will answer your questions.

Take advantage of this opportunity to gain new insights for your authentication project and get answers to your questions!

Dates & Time

• Central MFA with privacyIDEA (10.02.2026, 5:00 pm – 5:45 pm CET)
  
• privacyIDEA Basics (26.02.2026, 5:00 pm – 5:45 pm CET)
  

Secure your spot and learn more about MFA with privacyIDEA!

Registration via: https://netknights.it/en/privacyidea-webinar-anmeldung/

Kassel, 9 September 2025 – IT security company NetKnights has released version 3.12 of its open-source multi-factor authentication solution privacyIDEA. The new version integrates a user resolver for Entra ID and Keycloak. For the first time, users can get a preview of the fundamentally redesigned WebUI. Enhanced smartphone container functions enable efficient token management.

User Resolver for Entra ID and Keycloak

privacyIDEA 3.12 introduces user resolvers for Entra ID and Keycloak. Administrators can retrieve user data directly from these directory services and assign tokens to them in privacyIDEA. This enables seamless token management, even in hybrid infrastructures consisting of on-premises and cloud environments.

Preview of modernised WebUI

The privacyIDEA user interface is being extensively modernised and will be available from version 3.13 . Version 3.12 offers a preview function of the new WebUI for user self-service and the administrator view. This provides a preview of the improved token overview, which allows tokens to be managed more efficiently. Users can test the new interface and provide feedback; based on this, the new WebUI’s user-friendliness will be further refined.

Enhanced Smartphone Container Functions

The smartphone container functions were expanded in version 3.12. Containers can be rolled out during authentication. Additionally, smartphone containers can be rolled out using the password of the user store as a registration code – in combination with the Authenticator app from version 4.6.0 onwards. This secures the rollout process without requiring an additional password.

Policy and Condition Improvements

Numerous improvements have been made to existing policies to enable more precise configuration. In addition, new conditions have been added and their handling has been refined.

Version 3.12 of privacyIDEA lays a modernised, future-oriented foundation for upcoming releases and prepares the software both technically and conceptually for the next development steps.

All other changes are listed in detail in the Changelog on GitHub. At this point, all components of privacyIDEA are also being further developed as open source software under the AGPLv3 under the leadership of NetKnights GmbH.

Availability

The new version 3.12 of privacyIDEA is now available via the Python Package Index and in the community repositories for Ubuntu 22.04 and 24.04.

About privacyIDEA

privacyIDEA is an open source multi-client and multi-instance capable system for multi-factor authentication. The development is made transparently on Github. Installations and updates are easily possible via the Python Package Index or via repositories for Ubuntu. A few weeks after the respective community major release, NetKnights GmbH publishes an enterprise release for Ubuntu LTS and RHEL/CentOS.

Therefore, we invite you to attend our free online events

“Central MFA with privacyIDEA” on August 19 or 28 and “privacyIDEA – Your replacement for DUO and OKTA” on September 16.

In these free online events, we will show you how you can use privacyIDEA to design your authentication processes flexibly, securely, and independently.

In addition, Cornelius Kölbel, CEO of NetKnights with more than 15 years of experience in the field of multi-factor authentication, will personally answer your questions.

Take advantage of this opportunity to gain new insights for your authentication project and get answers to your questions!

Dates & Time

19 August, Central MFA with privacyIDEA, 3 pm-3:45 pm Central European Time

28 August, Central MFA with privacyIDEA, 7pm-7:45 pm Central European Time

16 September, privacyIDEA – Your replacement for DUO and OKTA, 7 pm-7:45 pm Central European Time

Secure your free spot and learn more about MFA with privacyIDEA!

Registration via: https://netknights.it/privacyidea-webinar-registration

We look forward to your participation. If you have any further questions about the webinars, do not hesitate to contact us via marketing@netknights.it

Extended container functions, passkeys as new token type & RSS-Newsfeed

The IT security company NetKnights releases version 3.11 of the professional multi-factor authentication software privacyIDEA. Extended container functions for the smartphone enable efficient synchronization and management of tokens. Passkeys are available as a new authentication method. An RSS newsfeed has also been introduced to inform administrators about updates, patches and events.

New functions for token containers

Version 3.11 of privacyIDEA offers new functions for the smartphone as a token container, which simplify the management of tokens. For scenarios such as the change to a new smartphone or the loss of a device, privacyIDEA now offers a container rollover. This allows an administrator to create a rollover QR code for an old container. If the user scans the QR code with the new device, the tokens are automatically transferred.
It is also possible to register containers with the server and roll out the defined tokens to the smartphone in a single step. As soon as the container is registered, the administrator can add and delete tokens. It is also possible to delete and block token containers completely.

Passkeys as a new token type

A new feature of version 3.11 of privacyIDEA is the introduction of passkeys as a token type. Passkeys are cryptographic key pairs that are stored locally on the device. They are resistant to a wide variety of phishing attacks, which increases user security. Users benefit from a simplified login process as they can authenticate themselves without having to enter a user name. Passkeys also enable seamless integration across different devices, increasing flexibility for the user.

Introduction of an RSS newsfeed

An RSS newsfeed has been integrated into the privacyIDEA user interface. Administrators can subscribe to this newsfeed and find out about updates, patches or webinars.

All other changes are listed in detail in the Changelog on GitHub. At this point, all components of privacyIDEA are also being further developed as open source software under the AGPLv3 under the leadership of NetKnights GmbH.

Availability

The new version 3.11 of privacyIDEA is now available via the Python Package Index and in the community repositories for Ubuntu 20.04, 22.04 and 24.04.

About privacyIDEA

privacyIDEA is an open source multi-client and multi-instance capable system for multi-factor authentication. The development is made transparently on Github. Installations and updates are easily possible via the Python Package Index or via repositories for Ubuntu. A few weeks after the respective community major release, NetKnights GmbH publishes an enterprise release for Ubuntu LTS and RHEL/CentOS.

Further information on the latest developments relating to privacyIDEA can be found at https://netknights.it/en/news/.

Token organization in container, WebAuthn Offline and extendes PUSH-Login available

The IT security company NetKnights has released version 3.10 of the professional multi-factor authentication software privacyIDEA. The organization of tokens in containers enables user-friendly and clear token management. As a new authentication method, WebAuthn can now also be used offline in version 3.10. Furthermore, authentication using PUSH tokens has been extended. The new version is now available via the Python Package Index and in the community repositories for Ubuntu 20.04 and 22.04.

Support of WebAuthn Offline Token

A new feature is the support of WebAuthn tokens for offline authentication. With the implementation of WebAuthn offline tokens, users can authenticate themselves securely independently of their location, e.g. with their laptop while on the train. The tokens can be used offline across devices, whereby the functionality of the tokens is maintained in the same way in online mode. This contributes to seamless integration into existing IT security structures and optimizes user flexibility.

Token Management through containers

In version 3.10 of privacyIDEA, users can organize their authentication tokens in containers. These offer a clear method for organizing and managing tokens. This new function allows users to structure their tokens according to different characteristics and group them together in a container. For example, it is possible to organize professional and private tokens separately or to combine tokens for certain applications in one container. The containers thus help to create a clearer structure and make it easier to manage the tokens.

Authentication via PUSH token has been extended in version 3.10 of privacyIDEA. A letter or number is displayed in privacyIDEA during authentication using a PUSH token. At the same time, a selection of different letters or numbers appears in the Authenticator app. The correct answer must then be selected for successful authentication. This additional security measure is optional and can also be applied to existing PUSH tokens.

All further changes are listed in detail in the changelog on GitHub. At this point, all components of privacyIDEA are also being further developed as open source software under the AGPLv3 under the leadership of NetKnights GmbH.

Availability

The new version 3.10 of privacyIDEA is now available via the Python Package Index and in the community repositories for Ubuntu 20.04 and 22.04. In addition, NetKnights GmbH offers the Enterprise Edition with support for Ubuntu LTS, RHEL 8 and 9 as well as derivatives and an appliance tool and carries out contract development for special requirements.

About privacyIDEA

privacyIDEA is an open source multi-client and multi-instance capable system for multi-factor authentication. It is developed transparently on Github. Installations and updates are easily possible via the Python Package Index or via repositories for Ubuntu. A few weeks after the respective community major release, NetKnights GmbH publishes a stable enterprise release for Ubuntu LTS and RHEL/CentOS.

We are pleased to be able to release privacyIDEA 3.9. This release is an example of how privacyIDEA is ment to centrally manage all you authentication in one place – since successful authentication is a matter of smooth workflows.

privacyIDEA aims to be a management system where the administrator can easily manage the authentication topic for the users. You as an administrator can manage the OTP tokens (TOTP, HOTP apps, Yubikeys), tokentype like SMS or Email, even FIDO2. All you need for two factor authentication.

And privacyIDEA is able to also verify the first factor. The static password.

Old authentication – new token types

But sometimes you might see, that two factor authentication does not work out as expected. That applications do not play well with FIDO2/WebAuthn. Yes, sometimes applications do not play well even with OTP tokens. Take an Email client, that caches the user password and sends it, every time it fetches the emails from the server. The request will fail if it is sent with the same OTP value a second time.

Successful Authentication is not always a matter of choose the most modern cryptographic algorithm or the latest authentication method.

Sometimes there is an old, nasty application that refuses to work well with the 2FA method you are enrolling in your company. But privacyIDEA wants to help you as administrator to manage all these challenges in one system.

With privacyIDEA 3.9 we introduce two new token types which might sound old and insecure, but which are supposed to enable you to take a step forward, even if some old applications want to hold you back.

The application specific password token is simply a static password that can be bound to a specific application. The old application will send an authentication request against privacyIDEA and privacyIDEA will realize, that this auth request originated from this application and allow such application specific password tokens enrolled for this application to be used for authentication. A user can have a specific password for e.g. his email client, save this in his smartphone and privacyIDEA will accept this only for login requests by this email client resp. mail server.
You may check the conceptual evolution of this feature on Github.

The day password token is a similar quirky thing. In certain situations having an OTP token that changes all 30 seconds or 60 seconds may be to changeable for some users or use cases. But using no second factor and relying on a never changing static password is also not an option.

Why not have a token, that can be used for one hour? Or one day? The day password token in privacyIDEA 3.9 is a token type with a variable time window between one second and many days. During this time window the given code is valid during the whole time window and can be used as often as needed. It is similar to TOTP (in fact it is inherited from the TOTP token class), but has the above mentioned special effects.

This token type has its counter part in the privacyIDEA Authenticator App, which you can find in the Google Play Store and Apple App Store. The day password token is supported in the privacyIDEA Authenticator App starting with version 4.2.

Improving SSH Key Management

Managing SSH keys has been a bit cumbersome in the past. You as the administrator had to assign each SSH server to the SSH key, so that the user could use the SSH key to log to this server.

With privacyIDEA 3.9 you can now define service identifiers, which represent the servers. E.g. you could define an identifier “web servers” and assign SSH keys to this identifier.

Now you can simply have the SSH server identify as “web servers” to allow the login with this SSH key. This way it is easy as configuring the corresponding server, to add a new SSH server to the “web servers”.

The helper script privacyidea-authorizedkeys, which is supposed to run on the SSH servers has been modified so that it queires privacyIDEA for the corresponding service identifier.

Changelog

A new event handler can set the application assignment during enrollment. This helps with definding HOTP tokens as Offline-Tokens for the privacyIDEA Credential Provider. The PUSH token can do a decline, so that the authentication process is cancelled.

You can find the complete changelog at Github.

Install and Update

You can download and update privacyIDEA 3.9 via the community repositories for Ubuntu 20.04LTS and Ubuntu 22.04LTS or via the Python Package Index.

If you want to get involved, you can join the discussion at the Forum or coding at Github.

We are happy to inform you, that we released privacyIDEA 3.8 today. 3.8 is an important milestone, since we start to support the Yubikey as a smartcard, that can also be used to login to Windows domains.

Support for smartcard login on Windows systems

privacyIDEA 3.8 can manage the Yubikey as a smartcard that holds a smartcard logon certificate. To obtain the smartcard logon certificate, the privacyIDEA server has a new certificate connector to communicate to all Microsoft Active Directory Certiticate Services in the connected Windows domain.

Thus the certificate on the Yubikey can directly be obtained from the Micrsoft CA but be managed within privacyIDEA.

Rollout during authentication

privacyIDEA supports Multi-Challenge-Response for a while. This mechanism can be used to reset an OTP PIN or authenticate with 4-eyes tokens or index-secret tokens.

In version 3.8 this same mechanism can now be used to enroll a token during authentication. The administrator can define a policy, which token type should be enrolled by the user. In several challenge-response steps thus the user can enroll HOTP, TOTP, email, SMS or PUSH tokens. Email and SMS tokens can even be enrolled in standard applications like the Netscaler.

HOTP, TOTP and PUSH enrollment require the application to display a QR code. This mechanism will be supported by all privacyIDEA plugins for e.g. Keycloak, simpleSAMLphp or ADFS.

Fast login, fast debugging, token groups

Using a new “preferred client mode” the administrator can define, which should be the preferred way for a user to authenticate, in case the user has more than one token type.

The audit log has been greatly improved for bug tracking. It now also records the thread ID of an API request.
Since the threat ID is also contained in the debug log file, this is a great handle to find the relevant detailed information to a specific request in the logs.

privacyIDEA 3.8 comes with the new conecpt of “token groups”. We plan to use this to improve SSH key management and the management of offline tokens.

For more details see the changelog at Github.

Install or Update

You can download and update privacyIDEA 3.8 via the community repositories for Ubuntu 18.04, 20.04 and now also 22.04 or via the python package index.