Email OTP Never expire after its validity time

i have configured validity time for Email OTP token to be 1 min , and i have tried to use this OTP after its validity time , actually i tried it after 4 hours and it works .
is there anything wrong i have done ?


  • Which version of privacyIDEA are you running?
  • What is your setup?
    • are you using a PIN or are you doing trigger challenge?
    • => what is your otppin policy?

privacyIDEA 3.4.1
i’m doing trigger challenge

This sounds like a known side effect.

You can either

  • set an OTP PIN for the token or
  • update to version 3.5(.1)

ok , but i’m little confused about OTP PIN , as i’m using keycloak for authentication and privacyidea for 2FA with trigger challenge an email OTP
can you guide me ?

I am also facing same problem. I am using PI version 3.5 and using trigger challenge without OTP PIN.
I have set OTP validity time to 60 (seconds) but email OTP never expires, it is validating it even after 60 seconds.