PrivacyIdea Android App does not work with "Xiaomi Mi Note 10"


a user was unable to use the PrivacyIdea App in Android with a “Xiaomi Mi Note 10” device.

The app reports, that this device is not supported since a securte storage of tokens is not possible.
A German screenshot is attached.


This is a good thing!

Take a look here:

Sorry, you probably want to use a smartphone. So I forgot this link:

sorry - could not resist :wink:

Your post contained no question - just a true statement. So what should we do about this. If the device does not support storing token information, it will not work. The user can get another smartphone or a hardware token. Besides I do not see the problem?

Well, I see a problem. The app does not work on a Google Pixel 3a either (same reason). Maybe the app’s got a problem with Android 10 or of some other sort.

Okay, after some further tests it seems, that the Authenticator only fails on my Pixel 3a.

It works on another Pixel 3a (Android 10) and on a Pixel 2 XL (Android 10). So, Android 10 is definitely not the culprit.

The question is: What keeps the App from working on my Pixel 3a?

A few more hints: I had the app installed and it worked. I tested it with some TOTP-Tokens and since I did not see any advantage over other authenticators I uninstalled it. Then, after starting to test PUSH-Tokens I reinstalled it because these won’t work with other apps. So only the ‘second instance’ does not work.

Fixed it. Deleting cache and app data did the trick.

That’s fine, but it definitely leaves some work to do for the developers because the error message was as wrong as wrong can be.

I installed it on my Redmi Note 5 and it worked. After a system-update I also get this message, but deleting cache, app data, re-installing etc doesn’t do the trick.

Just unlock the bootloader and install a third party ROM.
I have a rooted Redmi 5 Plus (different name of the same phone) running Pixel Experience ROM.
The app works just fine…

I have installed latest crDroid 9 because auf Android4work. After an android-update the app stopped working.

I haven’t used crDroid on vince (last time did it on Nexus 5)…

@AAuer @henry @christophm
We are currently developing a new app based on the flutter framework. We are basically doing this to provide easy customization for customers who subscribe to an SLA.
The current status of the App is, that is does not support the Push Token yet, but basiclly all other token types - I think also 2step enrollment.
You can checkou the beta test here:

I’m using the latest PI to authenticate users to a Cisco ASAv.(using AnyConnect).
All servers are VMs running on a Dell R740 cluster; time synced to the ESXi host they run on.

Every user (total number under 20) has three different OTP options to chose from:

  1. Yubikey AES
  2. push (Firebase) - when the Yubikey is not at hand
  3. TOTP - when no Yubikey and not online.

Everything is simple and straightforward with Yubikeys and TOTP/HOTP.
You enter Group (if any), username and the password in the form of PINsecret.
Where the secret is either the TOTP/HOTP code (entered manually) or the Yubikey hash sent over by touching the golden circle on the physical key…

When push is the chosen option, the process is much less intuitive and a bit awkward…
You first enter the same Group (if any), username and password in the form of PIN only (!).
Press Enter (or click OK).
A second screen pops up around the same time you get the push notification on your phone.
To complete the login you have to touch Allow on your phone (inside the PI app).
And after that you have to press OK on the second popped up AnyConnect window.
Without having entered anything in it!

Not really intuitive…

Can this process be customized?
Can one send a sort-of “Enter command” at the end of the Allow press on the phone…?

Is it really possible to do on the PI end or is this the Cisco ASA behavior?


The Cisco ASA does not know the privacyIDEA Authenticator Push App.

The Push App communicates with the privacyIDEA server directly and answers the challenge. The challenge is marked as successfully answered directly in privacyIDEA.

An application, that is aware of the Push token, would simply poll the privacyIDEA server, if the challenge is correctly answered and let the user in without any interaction.
We do this in our Plugins.
but: The ASA does simple RADIUS protocol, so this can not work out.

You might consider taking a look at the push_wait policy.

Thank you, Cornelius. I think I get the idea…

I have one more follow-up (related) question: can I have ALL token options behave like the push token does?

Namely: enter Group/Username/Password; the latter as a PIN only. The second window pops up.
In this window you enter your TOTP code, Yubikey hash or press Allow on your mobile when using the push token. And click Continue (if needed)…

As it stands right now, neither TOTP nor Yubikey will work this way…

Maybe this is what duyphung meant by splitting authentication into two windows?

Yes you can, if your application (ASA) sends the username and password a.k.a. pin to the privacyIDEA server in the first step.

You can configure the TOTP and the Yubikey (HOTP? or AES?) to be treated as a challenge response token by privacyIDEA:

Thank you, Cornelius.
I’ll try that to make the login procedure token-agnostic…

1 Like