diff --git a/lib/Auth/Process/PrivacyideaAuthProc.php b/lib/Auth/Process/PrivacyideaAuthProc.php
index 861e6906144ff6d851ca6a61de70b4023b964ec1..4aa449f8682b38b2a554735eb658933c06b25e20 100644
--- a/lib/Auth/Process/PrivacyideaAuthProc.php
+++ b/lib/Auth/Process/PrivacyideaAuthProc.php
@@ -11,6 +11,7 @@ use SimpleSAML\Error\ConfigurationError;
 use SimpleSAML\Logger;
 use SimpleSAML\Module;
 use SimpleSAML\Module\privacyidea\Auth\Utils;
+use SimpleSAML\Module\saml\Error\NoPassive;
 use SimpleSAML\Utils\HTTP;
 
 /**
@@ -96,6 +97,10 @@ class PrivacyideaAuthProc extends ProcessingFilter
         $username = $state['Attributes'][$this->authProcConfig['uidKey']][0];
         $stateId = State::saveState($state, 'privacyidea:privacyidea');
 
+        if (isset($state['isPassive']) && true === $state['isPassive']) {
+            throw new NoPassive('Passive multi-factor authentication not supported.');
+        }
+
         // Check if it should be controlled that user has no tokens and a new token should be enrolled.
         if (!empty($this->authProcConfig['doEnrollToken']) && true === $this->authProcConfig['doEnrollToken']) {
             $stateId = $this->enrollToken($stateId, $username);