Bypass Privacy Idea

Hi!!! I have a question on following case; and I am referring to the windows authentication part and privacy idea credentials providers is installed as a default provider where other local users are not available.
I provided NotokenPin for specific user administrator in Policy where 2FA is bypassed and user is able to login to windows but what will be the solution incase for following:


Work From Home Scenario (Privacy idea will not be reachable since it has a private IP); Although i can make it public and give it a try but how can we address the second case below:


If user wants to login to his/her PC without network connection; PI will not have any connection. User is completely disconnected from the network.
Note: In AD; although the user is disconnected from network he/she can login until there is cache right?? So, is there any solution in privacy idea too?

you will have to assign an HOTP token to a machine in privacyidea. Then you have to do 1 online authentication with the credential provider so the HOTP values can be “downloaded”.
After that, you can authenticate on windows offline as long as you have offline hotp values left.

The difference between AD and privacyidea is that the password in AD is static, which allowes easy caching. The second factor for privacyidea is generated based on a counter or the current time (therefore it is dynamic and cannot be cached easily).

Thanks for the information. I tried using HOTP but it didn’t worked. After disconnecting network in my PC; i tried login in offline environment but it displays “The server is unreachable or available” after PIN + OTP (second factor) step.
Is there any solution if a user wants to use laptop/PC (configured with Credentials Provider in default provider mode) from his/her home? Since, the user will be completely disconnected at that time from the privacy idea server. I am just curious about this.

  • Can we make privacy idea server publicly accessible and configure 2FA for remote users?
    Is this possible? Also, what’s the default port of privacy idea server to which credentials provider configured PC connects? Is it same 443???
  • What will be the scenario if the user is completely disconnected from his/her work environment? (referring to Credentials Provider configured in default provider mode). If we don’t configure in default provider mode; we can login through local users and other user of PC itself right?? But, what’s the case for credential provider in default mode?

Did you do the setup and then 1 online authentication like i described? You should have a offlineFile.json on C:\ if it worked properly. If you are using offline, you can not enter the PIN before the OTP, only the OTP.

That is the solution to it. You can only have a certain amout of offline OTP values stored in the CredentialProvider. If they are depleted, you have to do an online authentication to download new OTP values again.

The default port is 443.

If you dont use the credential provider in default mode, you can log in with the system credential provider - this might be useful for testing your setup and only activate default mode if everything works otherwise you might lock yourself out.

If you want real help with all your problems you might consider getting some consulting to do it correctly.

Thanks, i have successfully tested in my lab. What i did was:

. allowed PrivacyIdea Server publicly and configured client using the same public IP.
. Since AD cached the user session and password; no problem was seen in backend connection from PI Server to the AD even if i am not within my network.

Thanks for your support.