diff --git a/.gitignore b/.gitignore
index c7eb3b1..b1e6851 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,7 @@
 .idea/
 .tox/
 venv*/
+build/
+dist/
+privacyidea_pam.egg-info/
 .coverage
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..4fa8eaa
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,36 @@
+stages:
+  - test
+  - build
+  - deploy
+
+tox:
+  stage: test
+  image:
+    name: registry.server.mila.quebec/idt/images/tox:latest
+    entrypoint: [ '/bin/sh', '-c' ]
+  script: tox
+
+package:
+  stage: build
+  image: "python:2.7"
+  only:
+    refs:
+      - master
+  variables:
+    TWINE_USERNAME: "pypi_token"
+    TWINE_REPOSITORY_URL: "https://git.server.mila.quebec/api/v4/projects/83/packages/pypi"
+  before_script:
+    - pip install twine
+  script:
+    - python setup.py sdist bdist_wheel
+    - python -m twine upload dist/*
+
+# Production has to be triggered manually
+update_login_nodes:
+  stage: deploy
+  only:
+    refs:
+      - master
+  variables:
+    ANSIBLE_TAGS: '2fa'
+  trigger: idt/provisioning/environment
diff --git a/.travis.yml b/.travis.yml
index 1a06861..a6e598e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -2,10 +2,6 @@ language: python
 sudo: false
 python:
   - 2.7
-  - 3.5
-  - 3.6
-  - 3.7
-  - 3.8
 
 # command to install dependencies
 install:
diff --git a/README.md b/README.md
index 7868f87..057f04b 100644
--- a/README.md
+++ b/README.md
@@ -1,37 +1,64 @@
 [![Build Status](https://travis-ci.org/privacyidea/pam_python.svg?branch=master)](https://travis-ci.org/privacyidea/pam_python)
 
 This module is to be used with http://pam-python.sourceforge.net/.
-It can be used to authenticate with OTP against privacyIDEA. It will also 
+It can be used to authenticate with OTP against privacyIDEA. It will also
 cache future OTP values to enable offline authentication.
 
 To be used like this::
 
+```
    auth   requisite    pam_python.so /path/to/modules/privacyidea-pam.py
+```
 
 It can take the following parameters:
 
-**url=https://your-server** 
+**url=https://your-server**
+
+   Default is https://localhost
 
-   default is https://localhost
-  
 **debug**
 
-   write debug information to the system log
-   
+   Write debug information to the system log
+
 **realm=yourRealm**
 
-   pass additional realm to privacyidea
-   
+   Pass additional realm to privacyidea
+
 **nosslverify**
 
    Do not verify the SSL certificate
-   
+
 **prompt=<Prompt>**
 
    The password prompt. Default is "Your OTP".
-   
+
+**api_token=<token>**
+
+   The API Token to access admin REST API for auto-enrolment. Requires the following Actions:
+   ``{ "enrollEMAIL": true, "enrollpin": true, "tokenlist": true }``
+
+**grace=<time>**
+
+   Grace time in minutes.
+
+**user_attribute=<uid,gid,gecos>**
+
+   Override the username to send to privacyIDEA with an attribute from the
+   user's password entry
+
+**users=<list,of,users>**
+
+   Comma-separated list of users to apply the plugin to.
+   If not specified, apply to all users.
+
 **sqlfile=<file>**
 
-   This is the SQLite file that is used to store the offline authentication 
+   This is the SQLite file that is used to store the offline authentication
    information.
    The default file is /etc/privacyidea/pam.sqlite
+
+**mysql=<uri>**
+
+   Use MySQL/MariaDB instead of SQLite to store refill/history tables.
+   URI form: mysql://username:password@host:3306/db_name
+   If absent, fallback to sqlfile
diff --git a/pam-test.sqlite b/pam-test.sqlite
new file mode 100644
index 0000000..59325a1
Binary files /dev/null and b/pam-test.sqlite differ
diff --git a/privacyidea_pam.py b/privacyidea_pam.py
index f132796..4594bc0 100644
--- a/privacyidea_pam.py
+++ b/privacyidea_pam.py
@@ -42,11 +42,19 @@
 import json
 import requests
 import syslog
-import sqlite3
 import passlib.hash
 import time
 import traceback
+import datetime
+import yaml
+import sqlite3
+import mysql.connector
+import re
+import pyqrcode
+import urllib
+import pwd
 
+SQLite = True
 
 def _get_config(argv):
     """
@@ -56,13 +64,37 @@ def _get_config(argv):
     :param argv:
     :return: dictionary with the parameters
     """
+    global SQLite
     config = {}
-    for arg in argv:
-        argument = arg.split("=")
-        if len(argument) == 1:
-            config[argument[0]] = True
-        elif len(argument) == 2:
-            config[argument[0]] = argument[1]
+    argv.pop(0)
+    if len(argv) == 1 and "config_file" in argv[0]:
+        with open(argv[0].split("=")[1], "r") as ymlfile:
+            config = yaml.load(ymlfile, Loader=yaml.SafeLoader)
+    else:
+        for arg in argv:
+            argument = arg.split("=")
+            if len(argument) == 1:
+                config[argument[0]] = True
+            elif len(argument) == 2:
+                config[argument[0]] = argument[1]
+    # User filter
+    if config.get("users") is not None:
+        config["users"] = config.get("users").split(',')
+    else:
+        config["users"] = []
+    # SQL Connection type/default
+    if config.get("mysql") is not None:
+        SQLite = False
+        mysql_settings = re.match("mysql://([^:]+):([^@]+)@([^:/]+):([0-9]+)/(.+)", config.get("mysql"))
+        config["sql"] = {
+            'user': mysql_settings.group(1),
+            'password': mysql_settings.group(2),
+            'host': mysql_settings.group(3),
+            'port': mysql_settings.group(4),
+            'database': mysql_settings.group(5)
+        }
+    else:
+        config["sql"] = config.get("sqlfile", "/etc/privacyidea/pam.sqlite")
     return config
 
 
@@ -71,6 +103,12 @@ class Authenticator(object):
     def __init__(self, pamh, config):
         self.pamh = pamh
         self.user = pamh.get_user(None)
+        self.username = self.user
+        self.user_attribute = config.get("user_attribute", False)
+        # User attribute for authentication if not username
+        if self.user_attribute:
+            self.get_user_attribute()
+        self.rhost = pamh.rhost
         self.URL = config.get("url", "https://localhost")
         self.sslverify = not config.get("nosslverify", False)
         cacerts = config.get("cacerts")
@@ -80,12 +118,28 @@ def __init__(self, pamh, config):
             self.sslverify = cacerts
         self.realm = config.get("realm")
         self.debug = config.get("debug")
-        self.sqlfile = config.get("sqlfile", "/etc/privacyidea/pam.sqlite")
-
-    def make_request(self, data, endpoint="/validate/check"):
+        self.api_token = config.get("api_token")
+        self.sql = config.get("sql")
+
+    # Return the pwd attribute to use for auth and override username
+    def get_user_attribute(self):
+        user_pwnam = pwd.getpwnam(self.user)
+        self.user = getattr(user_pwnam, "pw_" + self.user_attribute)
+        syslog.syslog(syslog.LOG_DEBUG,
+                      "%s: Using user attribute as username: %s" % (__name__, self.user))
+
+    def make_request(self, data, endpoint="/validate/check",
+                        api_token=None, post=True):
         # add a user-agent to be displayed in the Client Application Type
         headers = {'user-agent': 'PAM/2.15.0'}
-        response = requests.post(self.URL + endpoint, data=data,
+        if api_token:
+            headers["Authorization"] = api_token
+
+        if post:
+            response = requests.post(self.URL + endpoint, data=data,
+                                 headers=headers, verify=self.sslverify)
+        else:
+            response = requests.get(self.URL + endpoint, data=data,
                                  headers=headers, verify=self.sslverify)
 
         json_response = response.json
@@ -95,18 +149,160 @@ def make_request(self, data, endpoint="/validate/check"):
 
         return json_response
 
+
+    def check_user_filtering(self, user, username, user_filter):
+        if len(user_filter)>0:
+            if user in user_filter or username in user_filter:
+                syslog.syslog(syslog.LOG_DEBUG,
+                    "User %s requires 2FA" % user)
+                return False
+            else:
+                syslog.syslog(syslog.LOG_DEBUG,
+                    "User %s does not require 2FA" % user)
+                return True
+        else:
+            syslog.syslog(syslog.LOG_DEBUG,
+                "No User filtering")
+            return False
+
+    def check_user_tokens(self, user):
+        # Check the tokens of a user
+        syslog.syslog(syslog.LOG_DEBUG,
+                      "%s: Checking tokens for %s" % (__name__, user))
+
+        data = {"user": self.user}
+
+        if self.realm:
+            data["realm"] = self.realm
+
+        try:
+            json_response = self.make_request(data, endpoint="/token",
+                                api_token=self.api_token, post=False)
+
+            result = json_response.get("result")
+            detail = json_response.get("detail")
+
+            if self.debug:
+                syslog.syslog(syslog.LOG_DEBUG,
+                              "%s: result: %s" % (__name__, result))
+                syslog.syslog(syslog.LOG_DEBUG,
+                              "%s: detail: %s" % (__name__, detail))
+
+            if result.get("status"):
+                if result.get("value"):
+                    token_count = result.get("value").get("count")
+
+                    if token_count == 0:
+                        return self.enroll_user(self.user)
+                    else:
+                        return True
+            else:
+                raise Exception(result.get("error").get("message"))
+
+        except Exception as e:
+            # If the network is not reachable, pass to allow offline auth
+            syslog.syslog(syslog.LOG_DEBUG, "failed to check user's tokens {0!s}".format(e))
+
+    def set_token_type(self):
+        enroll_data = {"user": self.user,
+                        "genkey": "1"}
+        pam_message_choice = self.pamh.Message(self.pamh.PAM_PROMPT_ECHO_ON,
+                "Please choose the token to generate:\n"
+                "[1] Email\n"
+                "[2] Push\n"
+                "[3] Google Authenticator\n")
+        response_choice = self.pamh.conversation(pam_message_choice)
+        if response_choice.resp == "1":
+            enroll_data["type"] = "email"
+            enroll_data["dynamic_email"] = 1
+        elif response_choice.resp == "2":
+            enroll_data["type"] = "push"
+        elif response_choice.resp == "3":
+            enroll_data["type"] = "totp"
+        else:
+            pam_message3 = self.pamh.Message(self.pamh.PAM_TEXT_INFO,
+                "Not a valid choice. Please try again")
+            info = self.pamh.conversation(pam_message3)
+            return self.set_token_type()
+        return enroll_data
+
+    def set_pin(self):
+        pam_message1 = self.pamh.Message(self.pamh.PAM_PROMPT_ECHO_OFF,
+                        "Please choose a 4-digit minimum PIN: ")
+        response1 = self.pamh.conversation(pam_message1)
+        pam_message2 = self.pamh.Message(self.pamh.PAM_PROMPT_ECHO_OFF,
+                        "Confirm your PIN: ")
+        response2 = self.pamh.conversation(pam_message2)
+
+        if response1.resp == response2.resp:
+            return response1.resp
+        else:
+            pam_message3 = self.pamh.Message(self.pamh.PAM_TEXT_INFO,
+                "PINs don't match. Please try again")
+            info = self.pamh.conversation(pam_message3)
+            return self.set_pin()
+
+    def enroll_user(self, user):
+        # Generate a new email Token with the provided pin
+        syslog.syslog(syslog.LOG_DEBUG,
+                      "%s: Generating a new token for %s" % (__name__, user))
+
+        pam_message = self.pamh.Message(self.pamh.PAM_TEXT_INFO,
+                        "You don't any have token yet.")
+        info = self.pamh.conversation(pam_message)
+        # Token type choosing
+        enroll_data = self.set_token_type()
+        # Ask for pin
+        enroll_data["pin"] = self.set_pin()
+
+        if self.realm:
+            enroll_data["realm"] = self.realm
+
+        json_response = self.make_request(enroll_data, endpoint="/token/init",
+                                            api_token=self.api_token)
+
+        result = json_response.get("result")
+        detail = json_response.get("detail")
+
+        if self.debug:
+            syslog.syslog(syslog.LOG_DEBUG,
+                          "%s: result: %s" % (__name__, result))
+            syslog.syslog(syslog.LOG_DEBUG,
+                          "%s: detail: %s" % (__name__, detail))
+        if result.get("status"):
+            if result.get("value"):
+                # Display QR Code if any
+                otp_link = False
+                if "pushurl" in detail:
+                    otp_link = detail["pushurl"]["value"]
+                if "googleurl" in detail:
+                    otp_link = detail["googleurl"]["value"]
+                # BUG: otpauth qr code generated does no work and is too big for terminals
+                if enroll_data["type"] == "totp":
+                    qr = generate_qr(otp_link)
+                    self.pamh.conversation(self.pamh.Message(self.pamh.PAM_TEXT_INFO, qr))
+                if otp_link:
+                    otp_web_render = "\nPlease visit the following link to get the QR Code: \n\n"
+                    otp_web_render += "https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=" + urllib.quote(otp_link) + "\n\n"
+                    self.pamh.conversation(self.pamh.Message(self.pamh.PAM_TEXT_INFO, otp_web_render))
+                return True
+        else:
+            raise Exception(result.get("error").get("message"))
+
     def offline_refill(self, serial, password):
 
         # get refilltoken
-        conn = sqlite3.connect(self.sqlfile)
-        c = conn.cursor()
+        startdb(self.sql)
         refilltoken = None
         # get all possible serial/tokens for a user
-        for row in c.execute("SELECT refilltoken FROM refilltokens WHERE serial=?",
-                             (serial, )):
+        c.execute(sql_abstract("SELECT refilltoken FROM refilltokens WHERE serial=?"),
+                             (serial, ))
+        for row in c.fetchall():
             refilltoken = row[0]
             syslog.syslog("Doing refill with token {0!s}".format(refilltoken))
 
+        closedb()
+
         if refilltoken:
             data = {"serial": serial,
                     "pass": password,
@@ -125,7 +321,7 @@ def offline_refill(self, serial, password):
 
             if result.get("status"):
                 if result.get("value"):
-                    save_auth_item(self.sqlfile, self.user, serial, tokentype,
+                    save_auth_item(self.sql, self.user, serial, tokentype,
                                    auth_item)
                     return True
             else:
@@ -136,13 +332,13 @@ def offline_refill(self, serial, password):
 
     def authenticate(self, password):
         rval = self.pamh.PAM_SYSTEM_ERR
-        # First we try to authenticate against the sqlitedb
-        r, serial = check_offline_otp(self.user, password, self.sqlfile, window=10)
+        # First we try to authenticate against the sqldb
+        r, serial = check_offline_otp(self.sql, self.user, password, window=10)
         syslog.syslog(syslog.LOG_DEBUG, "offline check returned: {0!s}, {1!s}".format(r, serial))
         if r:
             syslog.syslog(syslog.LOG_DEBUG,
                           "%s: successfully authenticated against offline "
-                          "database %s" % (__name__, self.sqlfile))
+                          "database" % (__name__))
 
             # Try to refill
             try:
@@ -163,7 +359,6 @@ def authenticate(self, password):
                 data["realm"] = self.realm
 
             json_response = self.make_request(data)
-
             result = json_response.get("result")
             auth_item = json_response.get("auth_items")
             detail = json_response.get("detail") or {}
@@ -178,14 +373,14 @@ def authenticate(self, password):
             if result.get("status"):
                 if result.get("value"):
                     rval = self.pamh.PAM_SUCCESS
-                    save_auth_item(self.sqlfile, self.user, serial, tokentype,
+                    save_auth_item(self.sql, self.user, serial, tokentype,
                                    auth_item)
                 else:
                     transaction_id = detail.get("transaction_id")
+                    message = detail.get("message").encode("utf-8")
 
                     if transaction_id:
                         attributes = detail.get("attributes") or {}
-                        message = detail.get("message").encode("utf-8")
                         if "u2fSignRequest" in attributes:
                             rval = self.u2f_challenge_response(
                                     transaction_id, message,
@@ -195,12 +390,21 @@ def authenticate(self, password):
                                                            message,
                                                            attributes)
                     else:
+                        syslog.syslog(syslog.LOG_ERR,
+                                      "%s: %s" % (__name__, message))
+                        pam_message = self.pamh.Message(self.pamh.PAM_ERROR_MSG, message)
+                        self.pamh.conversation(pam_message)
                         rval = self.pamh.PAM_AUTH_ERR
             else:
+                error_msg = result.get("error").get("message")
                 syslog.syslog(syslog.LOG_ERR,
-                              "%s: %s" % (__name__,
-                                          result.get("error").get("message")))
+                              "%s: %s" % (__name__, error_msg))
+                pam_message = self.pamh.Message(self.pamh.PAM_ERROR_MSG, str(error_msg))
+                self.pamh.conversation(pam_message)
 
+        # Save history
+        save_history_item(self.sql, self.user, self.rhost, serial,
+            (True if rval == self.pamh.PAM_SUCCESS else False))
         return rval
 
     def challenge_response(self, transaction_id, message, attributes):
@@ -300,8 +504,7 @@ def u2f_challenge_response(self, transaction_id, message, attributes):
                 rval = self.pamh.PAM_AUTH_ERR
         else:
             syslog.syslog(syslog.LOG_ERR,
-                          "%s: %s" % (__name__,
-                                      result.get("error").get("message")))
+                "%s: %s" % (__name__, result.get("error").get("message")))
 
         return rval
 
@@ -310,34 +513,60 @@ def pam_sm_authenticate(pamh, flags, argv):
     config = _get_config(argv)
     debug = config.get("debug")
     try_first_pass = config.get("try_first_pass")
-    prompt = config.get("prompt", "Your OTP")
+    prompt = config.get("prompt", "Your OTP").replace("_", " ")
+    grace_time = config.get("grace")
+    user_filter = config.get("users")
     if prompt[-1] != ":":
         prompt += ":"
     rval = pamh.PAM_AUTH_ERR
     syslog.openlog(facility=syslog.LOG_AUTH)
 
     Auth = Authenticator(pamh, config)
-    try:
-        if pamh.authtok is None or not try_first_pass:
-            message = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "%s " % prompt)
-            response = pamh.conversation(message)
-            pamh.authtok = response.resp
-
-        if debug and try_first_pass:
-            syslog.syslog(syslog.LOG_DEBUG, "%s: running try_first_pass" %
-                          __name__)
-        rval = Auth.authenticate(pamh.authtok)
-
-        # If the first authentication did not succeed but we have
-        # try_first_pass, we ask again for a password:
-        if rval != pamh.PAM_SUCCESS and try_first_pass:
-            # Now we give it a second try:
-            message = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "%s " % prompt)
-            response = pamh.conversation(message)
-            pamh.authtok = response.resp
 
+    # Empty conversation to test password/keyboard_interactive
+    message = pamh.Message(pamh.PAM_TEXT_INFO, " ")
+    response = pamh.conversation(message)
+    if response.resp == '':
+        rval = pamh.PAM_AUTHINFO_UNAVAIL
+        return rval
+
+    # Check if user is excluded
+    if Auth.check_user_filtering(Auth.user, Auth.username, user_filter):
+        return pamh.PAM_AUTHINFO_UNAVAIL
+
+    try:
+        if grace_time is not None:
+            syslog.syslog(syslog.LOG_DEBUG,
+                    "Grace period in minutes: %s " % (str(grace_time)))
+            # First we check if grace is authorized
+            if check_last_history(Auth.sql, Auth.user,
+                        Auth.rhost, grace_time, window=10):
+                rval = pamh.PAM_SUCCESS
+
+        if rval != pamh.PAM_SUCCESS:
+            # Check if user has tokens
+            Auth.check_user_tokens(Auth.user)
+
+            if pamh.authtok is None or not try_first_pass:
+                message = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "%s " % prompt)
+                response = pamh.conversation(message)
+                pamh.authtok = response.resp
+
+            if debug and try_first_pass:
+                syslog.syslog(syslog.LOG_DEBUG, "%s: running try_first_pass" %
+                              __name__)
             rval = Auth.authenticate(pamh.authtok)
 
+            # If the first authentication did not succeed but we have
+            # try_first_pass, we ask again for a password:
+            if rval != pamh.PAM_SUCCESS and try_first_pass:
+                # Now we give it a second try:
+                message = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "%s " % prompt)
+                response = pamh.conversation(message)
+                pamh.authtok = response.resp
+
+                rval = Auth.authenticate(pamh.authtok)
+
     except Exception as exx:
         syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
         syslog.syslog(syslog.LOG_ERR, "%s: %s" % (__name__, exx))
@@ -373,34 +602,36 @@ def pam_sm_chauthtok(pamh, flags, argv):
     return pamh.PAM_SUCCESS
 
 
-def check_offline_otp(user, otp, sqlfile, window=10, refill=True):
+def check_offline_otp(sql_params, user, otp, window=10, refill=True):
     """
     compare the given otp values with the next hashes of the user.
 
     DB entries older than the matching counter will be deleted from the
     database.
 
+    :param sql_params: MySQL/SQLite connection parameters
+    :type sql_params: dict
     :param user: The local user in the sql file
     :param otp: The otp value
-    :param sqlfile: The sqlite file
     :return: Tuple of (True or False, serial)
     """
     res = False
-    conn = sqlite3.connect(sqlfile)
-    c = conn.cursor()
-    _create_table(c)
+    startdb(sql_params)
     # get all possible serial/tokens for a user
     serials = []
     matching_serial = None
-    for row in c.execute("SELECT serial, user FROM authitems WHERE user=?"
-                         "GROUP by serial", (user,)):
+
+    c.execute(sql_abstract("SELECT serial, user FROM authitems WHERE user=?"
+                         "GROUP by serial"), (user,))
+    for row in c.fetchall():
         serials.append(row[0])
 
     for serial in serials:
-        for row in c.execute("SELECT counter, user, otp, serial FROM authitems "
+        c.execute(sql_abstract("SELECT counter, user, otp, serial FROM authitems "
                              "WHERE user=? and serial=? ORDER by counter "
-                             "LIMIT ?",
-                             (user, serial, window)):
+                             "LIMIT ?"),
+                             (user, serial, window))
+        for row in c.fetchall():
             hash_value = row[2]
             if passlib.hash.pbkdf2_sha512.verify(otp, hash_value):
                 res = True
@@ -410,24 +641,24 @@ def check_offline_otp(user, otp, sqlfile, window=10, refill=True):
 
     # We found a matching password, so we remove the old entries
     if res:
-        c.execute("DELETE from authitems WHERE counter <= ? and serial = ?",
+        c.execute(sql_abstract("DELETE from authitems WHERE counter <= ? and serial = ?"),
                   (matching_counter, matching_serial))
-        conn.commit()
-    conn.close()
+
+    closedb()
     return res, matching_serial
 
 
-def save_auth_item(sqlfile, user, serial, tokentype, authitem):
+def save_auth_item(sql_params, user, serial, tokentype, authitem):
     """
-    Save the given authitem to the sqlite file to be used later for offline
+    Save the given authitem to the sqldb file to be used later for offline
     authentication.
 
     There is only one table in it with the columns:
 
         username, counter, otp
 
-    :param sqlfile: An SQLite file. If it does not exist, it will be generated.
-    :type sqlfile: basestring
+    :param sql_params: MySQL/SQLite connection parameters
+    :type sql_params: dict
     :param user: The PAM user
     :param serial: The serial number of the token
     :param tokentype: The type of the token
@@ -436,10 +667,7 @@ def save_auth_item(sqlfile, user, serial, tokentype, authitem):
 
     :return:
     """
-    conn = sqlite3.connect(sqlfile)
-    c = conn.cursor()
-    # Create the table if necessary
-    _create_table(c)
+    startdb(sql_params)
 
     syslog.syslog(syslog.LOG_DEBUG, "%s: offline save authitem: %s" % (
         __name__, authitem))
@@ -448,42 +676,172 @@ def save_auth_item(sqlfile, user, serial, tokentype, authitem):
         tokenowner = offline.get("username")
         for counter, otphash in offline.get("response").items():
             # Insert the OTP hash
-            c.execute("INSERT INTO authitems (counter, user, serial,"
-                      "tokenowner, otp) VALUES (?,?,?,?,?)",
+            c.execute(sql_abstract("INSERT INTO authitems (counter, user, serial,"
+                      "tokenowner, otp) VALUES (?,?,?,?,?)"),
                       (counter, user, serial, tokenowner, otphash))
 
         refilltoken = offline.get("refilltoken")
         # delete old refilltoken
         try:
-            c.execute('DELETE FROM refilltokens WHERE serial=?', (serial,))
+            c.execute(sql_abstract("DELETE FROM refilltokens WHERE serial=?"), (serial,))
         except sqlite3.OperationalError:
             pass
-        c.execute("INSERT INTO refilltokens (serial, refilltoken) VALUES (?,?)",
+        c.execute(sql_abstract("INSERT INTO refilltokens (serial, refilltoken) VALUES (?,?)"),
                   (serial, refilltoken))
 
-    # Save (commit) the changes
-    conn.commit()
+    closedb()
 
-    # We can also close the connection if we are done with it.
-    # Just be sure any changes have been committed or they will be lost.
-    conn.close()
+def check_last_history(sql_params, user, rhost, grace_time, window=10):
+    """
+    Get the last event for this user.
+
+    If success reset the error counter.
+    If error increment the error counter.
 
+    :param sql_params: MySQL/SQLite connection parameters
+    :type sql_params: dict
+    :param user: The PAM user
+    :param rhost: The PAM user rhost value
+    :param serial: The serial number of the token
+    :param success: Boolean
 
-def _create_table(c):
+    :return:
+    """
+    startdb(sql_params)
+
+    res = False
+    events = []
+
+    c.execute(sql_abstract("SELECT user, rhost, serial, last_success, last_error "
+                         "FROM history "
+                         "WHERE user=? AND rhost=? ORDER by last_success "
+                         "LIMIT ?"),
+                         (user, rhost, window))
+    for row in c.fetchall():
+        events.append(row)
+
+    if len(events)>0:
+        for event in events:
+            last_success = event[3]
+            if last_success is not None:
+                # Get the elapsed time in minutes since last success
+                last_success_delta = datetime.datetime.now() - last_success
+                delta = last_success_delta.seconds / 60 + last_success_delta.days * 1440
+                if delta < int(grace_time):
+                    syslog.syslog(syslog.LOG_DEBUG, "%s: Last success : %s , "
+                            "was %s minutes ago and in the grace period" % (
+                            __name__, str(last_success), str(delta)))
+                    res = True
+                    break
+
+            else:
+                syslog.syslog(syslog.LOG_DEBUG, "%s: No last success recorded: %s" % (
+                    __name__, user))
+    else:
+        syslog.syslog(syslog.LOG_DEBUG, "%s: No history for: %s" % (
+            __name__, user))
+
+    closedb()
+    return res
+
+
+def save_history_item(sql_params, user, rhost, serial, success):
+    """
+    Save the given success/error event.
+
+    If success reset the error counter.
+    If error increment the error counter.
+
+    :param sql_params: MySQL/SQLite connection parameters
+    :type sql_params: dict
+    :param user: The PAM user
+    :param rhost: The PAM user rhost value
+    :param serial: The serial number of the token
+    :param success: Boolean
+
+    :return:
+    """
+    startdb(sql_params)
+
+    syslog.syslog(syslog.LOG_DEBUG, "%s: offline save event: %s" % (
+        __name__, ("success" if success else "error")))
+    if success:
+        # Insert the Event
+        c.execute(sql_abstract("REPLACE INTO history (user, rhost, serial,"
+                  "error_counter, last_success) VALUES (?,?,?,?,?)"),
+                  (user, rhost, serial, 0, datetime.datetime.now()))
+    else:
+        # Insert the Event
+        c.execute(sql_abstract("UPDATE history SET error_counter = error_counter + 1, "
+                    " serial = ? , last_error = ? "
+                    " WHERE user = ? AND rhost = ? "),
+                  (serial, datetime.datetime.now(), user, rhost))
+
+        syslog.syslog(syslog.LOG_DEBUG,"Rows affected : %d " % c.rowcount)
+        if c.rowcount == 0:
+            c.execute(sql_abstract("INSERT INTO history (user, rhost, serial,"
+                      "error_counter, last_error) VALUES (?,?,?,?,?)"),
+                      (user, rhost, serial, 1, datetime.datetime.now()))
+
+    closedb()
+
+# Start connection and create cursor
+def startdb(sql_params):
+    global conn, c
+    # Create connection
+    if SQLite:
+        conn = sqlite3.connect(sql_params, detect_types=sqlite3.PARSE_DECLTYPES)
+    else:
+        conn = mysql.connector.connect(**sql_params)
+
+    # Create a cursor object
+    c = conn.cursor()
+    # Create table if does not exist
+    _create_table()
+
+# Commit and close db
+def closedb():
+    # Commit changes
+    conn.commit()
+    # Close connections
+    conn.close()
+
+def _create_table():
     """
     Create table if necessary
     :param c: The connection cursor
     """
+    c.execute("CREATE TABLE IF NOT EXISTS authitems "
+              "(counter int, user text, serial text, tokenowner text,"
+              "otp text, tokentype text)")
+    # create refilltokens table
+    c.execute("CREATE TABLE IF NOT EXISTS refilltokens (serial text, refilltoken text)")
+    # create history table
+    c.execute("CREATE TABLE IF NOT EXISTS history "
+              "(user varchar(50), rhost varchar(50), serial text, error_counter int, "
+              "last_success timestamp, last_error timestamp)")
     try:
-        c.execute("CREATE TABLE authitems "
-                  "(counter int, user text, serial text, tokenowner text,"
-                  "otp text, tokentype text)")
+        # create history table
+        c.execute("CREATE TABLE IF NOT EXISTS history "
+                  "(user text, rhost text, serial text, error_counter int, "
+                  "last_success timestamp, last_error timestamp)")
+        c.execute("CREATE UNIQUE INDEX idx_user "
+                    "ON history (user, rhost);")
+    except mysql.connector.Error as err:
+        if err.errno == mysql.connector.errorcode.ER_DUP_KEYNAME:
+            pass
+        else:
+            raise
     except sqlite3.OperationalError:
         pass
 
-    try:
-        # create refilltokens table
-        c.execute("CREATE TABLE refilltokens (serial text, refilltoken text)")
-    except sqlite3.OperationalError:
-        pass
+# Convert an SQLite statement to MySQL
+def sql_abstract(sql_statement):
+    if SQLite:
+        return sql_statement
+    else:
+        return sql_statement.replace('?','%s')
 
+def generate_qr(data):
+    qr = pyqrcode.create(data, error='L')
+    return str(qr.terminal(quiet_zone=4, module_color='reverse', background='default'))
diff --git a/requirements.txt b/requirements.txt
index 648c4f7..2f7ab04 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,3 +4,5 @@ idna==2.9
 passlib==1.7.2
 requests==2.23.0
 urllib3==1.25.9
+pyyaml
+pyqrcode
diff --git a/setup.py b/setup.py
index 1cafe5f..300a685 100644
--- a/setup.py
+++ b/setup.py
@@ -2,12 +2,12 @@
 
 from setuptools import setup
 
-#VERSION="2.1dev4"
-VERSION = "2.11dev0"
+VERSION = "2.16.dev0"
 
 install_requires = [
     'requests>=2.23',
-    'passlib>=1.7.2'
+    'passlib>=1.7.2',
+    'pyyaml'
 ]
 
 setup(
diff --git a/tests/__init__.py b/tests/__init__.py
deleted file mode 100644
index e69de29..0000000
diff --git a/tests/test_pam_module.py b/tests/test_pam_module.py
index c810a05..bb099e5 100644
--- a/tests/test_pam_module.py
+++ b/tests/test_pam_module.py
@@ -14,6 +14,7 @@
 REFILL_2 = "b" * 80
 
 SQLFILE = "pam-test.sqlite"
+
 # test100000
 # test100001
 # test100002
@@ -89,22 +90,51 @@
                 "version": "privacyIDEA unknown"
 }
 
+USER_TOKEN_BODY = { "id": 1,
+                    "jsonrpc": "2.0",
+                    "result": {"status": True,
+                               "value": {
+                                    "count" : 1
+                               }
+                    }
+}
 
 class PAMH(object):
 
     PAM_AUTH_ERR = 0
     PAM_SUCCESS = 1
     PAM_SYSTEM_ERR = 2
+    PAM_AUTHINFO_UNAVAIL = 3
+
+    PAM_PROMPT_ECHO_OFF = 11
+    PAM_PROMPT_ECHO_ON = 12
+    PAM_ERROR_MSG = 13
+    PAM_TEXT_INFO = 14
 
     exception = Exception
 
-    def __init__(self, user, password):
+    def __init__(self, user, password, rhost, keyboard_interactive=True):
         self.authtok = password
         self.user = user
+        self.rhost = user
+        self.keyboard_interactive = keyboard_interactive
 
     def get_user(self, dummy):
         return self.user
 
+    def Message(self, prompt_type, prompt):
+        return prompt
+
+    def conversation(self, message):
+        if message == " ":
+            return Response(None if self.keyboard_interactive else '')
+
+class Response(object):
+
+    def __init__(self, resp, ret_code = 0):
+        self.resp = resp
+        self.ret_code = ret_code
+
 
 class PAMTestCase(unittest.TestCase):
 
@@ -121,8 +151,9 @@ def setUpClass():
 
     def test_01_check_offline_otp(self):
         # Check with no entries in the database
-        r, matching_serial = check_offline_otp("cornelius", "test123456", SQLFILE)
-        self.assertFalse(r)
+
+        r, matching_serial = check_offline_otp(SQLFILE, "cornelius", "test123456")
+        self.assertEqual(r, PAMH.PAM_AUTH_ERR)
         self.assertIsNone(matching_serial)
 
         # Save some values to the database
@@ -134,12 +165,12 @@ def test_01_check_offline_otp(self):
                                          "response": RESP}
                            ]
                            })
-        r, matching_serial = check_offline_otp("cornelius", "test100000", SQLFILE)
-        self.assertTrue(r)
+        r, matching_serial = check_offline_otp(SQLFILE, "cornelius", "test100000")
+        self.assertEqual(r, PAMH.PAM_SUCCESS)
         self.assertEqual(matching_serial, "TOK001")
         # Authenticating with the same value a second time, fails
-        r, matching_serial = check_offline_otp("cornelius", "test100000", SQLFILE)
-        self.assertFalse(r)
+        r, matching_serial = check_offline_otp(SQLFILE, "cornelius", "test100000")
+        self.assertEqual(r, PAMH.PAM_AUTH_ERR)
         self.assertIsNone(matching_serial)
 
     @responses.activate
@@ -149,18 +180,22 @@ def test_02_authenticate_offline(self):
                       body=json.dumps(SUCCESS_BODY),
                       content_type="application/json")
 
-        pamh = PAMH("cornelius", "test100001")
+        pamh = PAMH("cornelius", "test100001", "192.168.0.1")
         flags = None
-        argv = ["url=http://my.privacyidea.server",
+        argv = ["/path/privacyidea_pam.py",
+                "url=http://my.privacyidea.server",
+                "debug",
                 "sqlfile=%s" % SQLFILE,
                 "try_first_pass"]
         r = pam_sm_authenticate(pamh, flags, argv)
         self.assertEqual(r, PAMH.PAM_SUCCESS)
 
         # Authenticate the second time offline
-        pamh = PAMH("cornelius", "test100002")
+        pamh = PAMH("cornelius", "test100002", "192.168.0.1")
         flags = None
-        argv = ["url=http://my.privacyidea.server",
+        argv = ["/path/privacyidea_pam.py",
+                "url=http://my.privacyidea.server",
+                "debug",
                 "sqlfile=%s" % SQLFILE,
                 "try_first_pass"]
         r = pam_sm_authenticate(pamh, flags, argv)
@@ -171,28 +206,37 @@ def test_02_authenticate_offline(self):
     @responses.activate
     def test_03_authenticate_online(self):
         # authenticate online and fetch offline values
+        responses.add(responses.GET,
+                      "http://my.privacyidea.server/token",
+                      body=json.dumps(USER_TOKEN_BODY),
+                      content_type="application/json")
         responses.add(responses.POST,
                       "http://my.privacyidea.server/validate/check",
                       body=json.dumps(SUCCESS_BODY),
                       content_type="application/json")
-        pamh = PAMH("cornelius", "test999999")
+        pamh = PAMH("cornelius", "test999999", "192.168.0.1")
         flags = None
-        argv = ["url=http://my.privacyidea.server",
+        argv = ["/path/privacyidea_pam.py",
+                "url=http://my.privacyidea.server",
+                "users=cornelius,cornelius3",
+                "debug",
                 "sqlfile=%s" % SQLFILE,
                 "try_first_pass"]
         r = pam_sm_authenticate(pamh, flags, argv)
-        self.assertTrue(r)
+        self.assertEqual(r, PAMH.PAM_SUCCESS)
         # Now the offlne values are stored
 
     def test_04_authenticate_offline(self):
         # and authenticate offline again.
-        pamh = PAMH("cornelius", "test100000")
+        pamh = PAMH("cornelius", "test100000", "192.168.0.1")
         flags = None
-        argv = ["url=http://my.privacyidea.server",
+        argv = ["/path/privacyidea_pam.py",
+                "url=http://my.privacyidea.server",
+                "debug",
                 "sqlfile=%s" % SQLFILE,
                 "try_first_pass"]
         r = pam_sm_authenticate(pamh, flags, argv)
-        self.assertTrue(r)
+        self.assertEqual(r, PAMH.PAM_SUCCESS)
 
     def test_05_two_tokens(self):
         # Save some values to the database
@@ -213,32 +257,39 @@ def test_05_two_tokens(self):
                            ]
                            })
 
-        pamh = PAMH("cornelius", "test100001")
+        pamh = PAMH("cornelius", "test100001", "192.168.0.1")
         flags = None
-        argv = ["url=http://my.privacyidea.server",
+        argv = ["/path/privacyidea_pam.py",
+                "url=http://my.privacyidea.server",
+                "debug",
                 "sqlfile=%s" % SQLFILE,
                 "try_first_pass"]
         r = pam_sm_authenticate(pamh, flags, argv)
         self.assertEqual(r, PAMH.PAM_SUCCESS)
 
         # An older OTP value of the first token is deleted
-        pamh = PAMH("cornelius", "test100000")
+        pamh = PAMH("cornelius", "test100000", "192.168.0.1")
         flags = None
-        argv = ["url=http://my.privacyidea.server",
+        argv = ["/path/privacyidea_pam.py",
+            "url=http://my.privacyidea.server",
+                "debug",
                 "sqlfile=%s" % SQLFILE,
                 "try_first_pass"]
         r = pam_sm_authenticate(pamh, flags, argv)
         self.assertNotEqual(r, PAMH.PAM_SUCCESS)
 
         # An older value with another token can authenticate!
-        pamh = PAMH("cornelius", "TEST100000")
+        pamh = PAMH("cornelius", "TEST100000", "192.168.0.1")
         flags = None
-        argv = ["url=http://my.privacyidea.server",
+        argv = ["/path/privacyidea_pam.py",
+                "url=http://my.privacyidea.server",
+                "debug",
                 "sqlfile=%s" % SQLFILE,
                 "try_first_pass"]
         r = pam_sm_authenticate(pamh, flags, argv)
         self.assertEqual(r, PAMH.PAM_SUCCESS)
 
+    @responses.activate
     def test_06_refill(self):
         with responses.RequestsMock() as rsps:
             # Get offline OTPs + refill token
@@ -247,18 +298,22 @@ def test_06_refill(self):
                           body=json.dumps(SUCCESS_BODY),
                           content_type="application/json")
 
-            pamh = PAMH("cornelius", "test100000")
+            pamh = PAMH("cornelius", "test100000", "192.168.0.1")
             flags = None
-            argv = ["url=http://my.privacyidea.server",
+            argv = ["/path/privacyidea_pam.py",
+                    "url=http://my.privacyidea.server",
+                    "debug",
                     "sqlfile=%s" % SQLFILE,
                     "try_first_pass"]
             r = pam_sm_authenticate(pamh, flags, argv)
             self.assertEqual(r, PAMH.PAM_SUCCESS)
 
         # OTP value not known yet, online auth does not work
-        pamh = PAMH("cornelius", "test100004")
+        pamh = PAMH("cornelius", "test100004", "192.168.0.1")
         flags = None
-        argv = ["url=http://my.privacyidea.server",
+        argv = ["/path/privacyidea_pam.py",
+                "url=http://my.privacyidea.server",
+                "debug",
                 "sqlfile=%s" % SQLFILE,
                 "try_first_pass"]
         r = pam_sm_authenticate(pamh, flags, argv)
@@ -266,27 +321,34 @@ def test_06_refill(self):
 
         # now with refill
         with responses.RequestsMock() as rsps:
+            rsps.add(responses.GET,
+                      "http://my.privacyidea.server/token",
+                      body=json.dumps(USER_TOKEN_BODY),
+                      content_type="application/json")
             rsps.add(responses.POST,
                           "http://my.privacyidea.server/validate/offlinerefill",
                           body=json.dumps(REFILL_BODY),
                           content_type="application/json")
 
-            pamh = PAMH("cornelius", "test100001")
+            pamh = PAMH("cornelius", "test100001", "192.168.0.1")
             flags = None
-            argv = ["url=http://my.privacyidea.server",
+            argv = ["/path/privacyidea_pam.py",
+                    "url=http://my.privacyidea.server",
+                    "debug",
                     "sqlfile=%s" % SQLFILE,
                     "try_first_pass"]
             r = pam_sm_authenticate(pamh, flags, argv)
             self.assertEqual(r, PAMH.PAM_SUCCESS)
-
             self.assertIn('refilltoken=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
-                          rsps.calls[0].request.body)
+                          rsps.calls[1].request.body)
 
         # authenticate with refilled
         with responses.RequestsMock() as rsps:
-            pamh = PAMH("cornelius", "test100004")
+            pamh = PAMH("cornelius", "test100004", "192.168.0.1")
             flags = None
-            argv = ["url=http://my.privacyidea.server",
+            argv = ["/path/privacyidea_pam.py",
+                    "url=http://my.privacyidea.server",
+                    "debug",
                     "sqlfile=%s" % SQLFILE,
                     "try_first_pass"]
             r = pam_sm_authenticate(pamh, flags, argv)
@@ -294,15 +356,40 @@ def test_06_refill(self):
 
             # using new refill token
             self.assertIn('refilltoken=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb',
-                          rsps.calls[0].request.body)
+                          rsps.calls[1].request.body)
 
         # ... but not twice
-        pamh = PAMH("cornelius", "test100004")
+        pamh = PAMH("cornelius", "test100004", "192.168.0.1")
         flags = None
-        argv = ["url=http://my.privacyidea.server",
+        argv = ["/path/privacyidea_pam.py",
+                "url=http://my.privacyidea.server",
+                "debug",
                 "sqlfile=%s" % SQLFILE,
                 "try_first_pass"]
         r = pam_sm_authenticate(pamh, flags, argv)
         self.assertNotEqual(r, PAMH.PAM_SUCCESS)
 
+    def test_07_password_auth(self):
+        # Authenticator will return PAM_AUTHINFO_UNAVAIL during password auth
+        pamh = PAMH("cornelius", "test100007", "192.168.0.1", False)
+        flags = None
+        argv = ["/path/privacyidea_pam.py",
+                "url=http://my.privacyidea.server",
+                "debug",
+                "sqlfile=%s" % SQLFILE,
+                "try_first_pass"]
+        r = pam_sm_authenticate(pamh, flags, argv)
+        self.assertEqual(r, PAMH.PAM_AUTHINFO_UNAVAIL)
 
+    def test_08_user_filtering(self):
+        # Authenticator will return PAM_AUTHINFO_UNAVAIL as user not in list
+        pamh = PAMH("cornelius", "test100007", "192.168.0.1", False)
+        flags = None
+        argv = ["/path/privacyidea_pam.py",
+                "url=http://my.privacyidea.server",
+                "users=cornelius2,cornelius3",
+                "debug",
+                "sqlfile=%s" % SQLFILE,
+                "try_first_pass"]
+        r = pam_sm_authenticate(pamh, flags, argv)
+        self.assertEqual(r, PAMH.PAM_AUTHINFO_UNAVAIL)
diff --git a/tox.ini b/tox.ini
index c206f69..fc755d2 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,20 +1,17 @@
 [tox]
-envlist = py27,py35,py36,py37,py38
+envlist = py27
 skip_missing_interpreters = true
 
 [gh-actions]
 python =
     2.7: py27
-    3.5: py35
-    3.6: py36
-    3.7: py37
-    3.8: py38
 
 [testenv]
+sitepackages=true
 # install pytest-cov in the virtualenv where commands will be executed
 deps =
     -rtests/requirements.txt
     pytest-cov
 commands =
     # NOTE: you can run any command line tool here - not just tests
-    python -b -m pytest --cov=privacyidea_pam --cov-append
+    python -b -m pytest -s --cov=privacyidea_pam --cov-append