• Manage your second factor in the cloud?
  • By Micrsoft? By DUO aka Cisco?
  • Sync your secret keys (aka passkeys) via Apple?
  • Let's keep the secrets where they belong!

Centrally/On-Prem managed

Mutli Factor Authentication

with

privacyIDEA

FOSS North, Gothenburg, Sweden, 2025-04-15

Cornelius Kölbel

privacyIDEA - history

  • Based on a system back in 2010 and thanks to RFC4226
  • Established in 2014 as an alternative to big commercial solutions under AGPLv3.
  • Enterprise ready most flexible MFA system.

Lets talk DESIGN

  • Developed at Github
  • The software stack
    • SPA, Webserver, REST, Python, SQL
  • Install: single node, redundancy, container

Most flexible

Abstraction of...

  • users
  • auth types
  • applications

Noone knows what the future will bring --- or which old applications you will find in a dusty corner

Abstraction of users

  • Resolvers and Realms
  • flatfile, LDAP/AD, SQL (ownCloud, Nextcloud, Keycloak), HTTP, EntraID

Abstraction of Authentication Types (aka Token)

  • Base Class
  • Authentication modes - Challenge Respsone, Multichallenge, Enroll-via-Challenge
  • Paper, Text message, xOTP, x509, sshkeys, YK, FIDO2, Passkeys

Abstraction of Applications

  • REST API
  • Plugins: RADIUS, SSO/IdPs, Webapplications, PAM, Windows/CP, EntraID
  • Enroll auth device once centrally, use multiple times at different logins

My definition of application

  • Everything, that is not privacyIDEA...
  • ...but that is connected to privacyIDEA.
  • ...where a user logs in: Keycloak, VPN, Web Application, PAM, Windows...

Policies

  • Behaviour of privacyIDEA
  • Scopes
  • Conditions: Different Authentication behaviour in different situations

It is about flexibility

Event Handlers

  • Link additional actions to API call
  • Handlers: UserNotification, Token, Script, Counter, Logging, WebHook, CustomUserAttributes, RequestMangler, ResponseMangler
  • Conditions

Recurring Tasks

  • Event Counter and simple stats
  • Currently used to create statistics
  • Can run on destinct node

Webauhn, FIDO2 and Passkeys

  • FIDO2 - whole spec --- device and application
  • Webauthn - application part
  • Passkey --- special config of FIDO2

privacyIDEA: U2F (2015), Webauthn (2020), Passkeys (now)

Plugin privacyIDEA Credential Provider

  • Offline - OTP symmetric key
  • one client
  • no online

Plugin privacyIDEA Credential Provider

  • Offline - Webauthn - assymmetic!
  • several clients
  • online at the same time

Do you want to try it?

Install: Read the docs

Your next steps

  • Stay in control!
  • Use privacyIDEA!

    https://privacyidea.readthedocs.io

  • Talk about it!

    https://community.privacyidea.org

  • Contribute!

    https://github.com/privacyidea