PrivacyIDEA

PrivacyIDEA is an open-source, self-hosted multi-factor authentication (MFA) server developed by NetKnights. It provides a highly flexible policy framework and supports a wide range of authenticators including WebAuthn/FIDO2, passkeys, push notifications, TOTP/HOTP, SMS/email OTP, YubiKey, and more.

Key Capabilities

• FIDO2/WebAuthn & passkeys: Introduces native WebAuthn tokens (since v3.4) and a Passkey token type (since v3.11) for phishing-resistant authentication. Supports offline WebAuthn (from v3.10) for environments with intermittent connectivity.

• Flexible authenticator options: Includes Push tokens via the privacyIDEA Authenticator app, TOTP/HOTP, SMS/email OTP, and hardware tokens such as YubiKey.

• Policy engine: Provides granular control over enrollment, challenge/response behavior, token type conditions, and passthrough configurations. Admins can define fine-tuned authentication workflows and enrollment restrictions per user, group, or realm.

Limitations

• Not an IdP: privacyIDEA does not issue SAML or OIDC tokens. Iit is an MFA and policy engine, not a full identity provider.

• No confirmed SCIM/lifecycle API: Documentation centers on MFA and token management; there’s no evidence of general-purpose SCIM 2.0 provider or consumer endpoints.

• Policy pitfalls: Some settings (e.g., passthru or passOnNoToken) can bypass MFA during migration or fallback scenarios—careful configuration is required.

• Operational management: Being self-hosted, administrators handle installation, updates, HA setup, and plugin integration. Commercial support and enterprise packaging are available from NetKnights.

• WebAuthn nuances: Browser behavior, relying-party identifiers, and hardware key compatibility can affect enrollment or login; vendor documentation provides troubleshooting guidance.