Enforce MFA per new device

We are using privacyIDEA REST API from out identity provider application to add MFA flow on login.
Our requirement is to authenticate user’s credentials after verifying OTP. User info and credentials exist in our existing system so we are using http resolver for this need.


  • Does privacyIDEA support checking user’s device or computer and remember it? And enforce OTP only if user is logging from other device?
  • Certain API like /validate/check to generate OTP or validate OTP are open endpoints. Is it by design? Does it not need to be secured as well?


privacyIDEA does not generate OTPs. In case of challenge response it sends OTP values to the user but not returns these via the API!

Yes, it is by design. A login window of some application is also accessable without restriction.

However, you could limit access via IP or use an auth jwt.
But the 2nd one is realy very uncommon.

Thanks @cornelinux for clarifications.
Regarding 1st point - Is it usual to use some other tool then with PrivacyIdea to support the OTP flow based on conditions?

Regarding 2nd point -
In my flow, I only created a http resolver with an endpoint that returns email address of a user. And created a token, which calls the http resolver (the user info endpoint) multiple times (not sure why, but thats a separate question). Further, when I call /validate/check, it triggers email as expected, but I was seeing if this endpoint can be secured, so that no one can call this endpoint without authentication/authorization as this can trigger emails to real users. Only option I see here from security perspective is a PIN. Do we generally user’s password as PIN here?
If this endpoint can be further secured, how can it be done with privacyIDEA so that no one access this API to generate and send OTP?

Hope I am making sense.
Appreciate your inputs!

There is no usual.
Your application has to work togeather with privacyidea.

Appreciate your inputs @cornelinux