Send Mail if failcounter exceeds a value

I am trying to set an event which sends a mail if a tokenfailcounter exceeds a certain value (3 in this example). The screenshot below should shows my config.


Unfortunatly this events triggers every time a PIN fails, no matter what the failcounter value is any idea what i have missed? I tried to quote the >3 without success. The test user has 2 tokens, could this be a problem? Both values are below 3 and the event fires.
Another event i configured which sends a mail on every failed PIN works correctly.

thanks in advance,


Hello and welcome to the community,

how does “a PIN fail”?

You mean the authentication fails? The PIN is the static password, that is entered before the changing OTP value.

Did you test, if this event handler works, if the user only has one token?

Hello Cornelius,

thanks for your fast answer. I meant the OTP not the PIN. As suggested by you i tried to remove one token (so that the user has only one) and everything is behaving as expected. So here is my resumee:

  • User with 2 tokens (A, B): Mail is sent on every failed OTP, if failcounter A <= 3 or failcounter B <= 3, even if failcouter A + failcounter B <= 3
  • User with 1 token: Mail is sent only if failcounter > 3 (behaves correctly)

You can try to reproduce this problem, i used 2 TOTP tokens: a Yubikey TOTP and a regular one.

This works as programmed:

The problem is, that is the user has several tokens and you enter a wrong PIN, all tokens “fail”.
And thus privacyIDEA does not identify a destinct token and can not check the failcounter.

I expected privacyIDEA to iterate through the tokens and send a mail if a token failcounter exceeds the given thresold. Otherwise this event doesnt make any sense…
When sending a mail on failed OTP this works, i get the serial of both failed tokens.

The design in privacyIDEA design is very modular. The event handlers occur at an independent context, where some information is not available.
I am sorry, if you can not see the sense in this handler.
But you are right, some handler combinations actually make no sense since it is possible to combine any logic and you could end up in situations, that do not seem logical.

It is the same with an alphabet. You can use the alphabet to form words like “laksopwq” which do not look as if they make sense. But saying that the alphabet does not make sense, would be the wrong conclusion.

It would be great, if you looked at the code or if you’d open a github issue/featrue request with as many details, thoughts and reference to the code as possible.

Thank you.

Thanks, i will take a look at the code.

I checked the code and actually it looks like the counter actions are not implemented completly.
Just take a look here.
The token_obj_list is only handled if len(token_obj_list) == 1. There are no more matches of this variable further in the code. So in fact all counter actions work only with one token.

I would like to create a Github Issue but this is more likely a Bug not a Feature right?

with regards,