Starting with version 3.4 privacyIDEA supports WebAuthn tokens. The administrator or the user himself can register a WebAuthn device and use this WebAuthn token to login to the privacyIDEA WebUI or to authenticate against applications.

When enrolling the token, a key pair is generated and the public key is sent to privacyIDEA. During this process, the user needs to prove that he is present, which typically happens by tapping a button on the token. The user may also be required by policy to provide some form of verification, which might be biometric or knowledge-based, depending on the token.

The devices is identified and assigned to the user.


This is a normal token object which can also be reassigned to another user.


As the key pair is only generated virtually, you can register one physical device for several users.

For configuring privacyIDEA for the use of WebAuthn tokens, please see WebAuthn Token Config.

For further details and information how to add this to your application, see the code documentation at WebAuthn Token.