6.3. Token types in privacyIDEA

The following list is an overview of the supported token types. For more details, consult the respective description listed in Tokens. Some token require prior configuration as described in Token type details.

• Four Eyes - Meta token that can be used to create a Two Man Rule.

• Certificate Token - A token that represents a client certificate.

• Day Password Token - The DayPassword Token is a time based password loosely based on the TOTP algorithm which can be used multiple times.

• Email - A token that sends the OTP value to the EMail address of the user.

• HOTP Token - event based One Time Password tokens based on RFC4226.

• Indexed Secret Token - a challenge response token that asks the user for random positions from a secret string.

• Daplug - A hardware OTP token similar to the Yubikey.

• mOTP Token - time based One Time Password tokens for mobile phones based on an a public Algorithm.

• OCRA - A basic OATH Challenge Response token.

• Paper Token (PPR) - event based One Time Password tokens that get you list of one time passwords on a sheet of paper.

• Push Token - A challenge response token, that sends a challenge to the user’s smartphone and the user simply accepts the request to login.

• Password Token - A password token used for losttoken scenario.

• Application Specific Password Token - This is an application specific password token based on the Password Token. It can be used to provide static password for specific services or applications, where e.g. one time passwords are not suitable.

• Questionnaire Token - A token that contains a list of answered questions. During authentication a random question is presented as challenge from the list of answered questions is presented. The user must give the right answer.

• Registration - A special token type used for enrollment scenarios (see Registration Code).

• RADIUS - A virtual token that forwards the authentication request to a RADIUS server.

• registration

• Remote - A virtual token that forwards the authentication request to another privacyIDEA server.

• SMS Token - A token that sends the OTP value to the mobile phone of the user.

• Spass - Simple Pass Token - The simple pass token. A token that has no OTP component and just consists of the OTP pin or (if otppin=userstore is set) of the userstore password.

• SSH Keys - An SSH public key that can be managed and used in conjunction with the Machines concept.

• TAN Token -

• TiQR - A Smartphone token that can be used to login by only scanning a QR code.

• TOTP - time based One Time Password tokens based on RFC6238.

• U2F - A U2F device as specified by the FIDO Alliance. This is a USB device to be used for challenge response authentication.

• VASCO - The proprietary VASCO token.

• WebAuthn - The WebAuthn or FIDO2 token which can use several different mechanisms like USB tokens or TPMs to authenticate via public key cryptography.

• Yubikey - A Yubikey hardware initialized in the AES mode, that authenticates against privacyIDEA.

• Yubico - A Yubikey hardware that authenticates against the Yubico Cloud service.

6.3.1. Token type details

Detailed information on the different token types used in privacyIDEA can be found in the following sections.

• 6.3.1.1. Four Eyes
• 6.3.1.2. Application Specific Password Token
• 6.3.1.3. Certificate Token
• 6.3.1.4. Day Password Token
• 6.3.1.5. Email
• 6.3.1.6. HOTP Token
• 6.3.1.7. Indexed Secret Token
• 6.3.1.8. mOTP Token
• 6.3.1.9. OCRA
• 6.3.1.10. Paper Token (PPR)
• 6.3.1.11. Push Token
• 6.3.1.12. Password Token
• 6.3.1.13. Questionnaire Token
• 6.3.1.14. RADIUS
• 6.3.1.15. Registration
• 6.3.1.16. Remote
• 6.3.1.17. SMS Token
• 6.3.1.18. Spass - Simple Pass Token
• 6.3.1.19. SSH Keys
• 6.3.1.20. TAN Token
• 6.3.1.21. TiQR
• 6.3.1.22. TOTP
• 6.3.1.23. U2F
• 6.3.1.24. VASCO
• 6.3.1.25. WebAuthn
• 6.3.1.26. Yubico
• 6.3.1.27. Yubikey