multiOTP
multiOTP is an open source PHP class, a command line tool and a web interface that can be used to provide an operating system independent strong authentication system. multiOTP is OATH certified since version 4.1.0 and is developed under the LGPL license. Starting with version 4.3.2.5, multiOTP open source is also available as a virtual appliance - as a standard OVA file, a customized OVA file with open-vm-tools, and also as an Hyper-V downloadable file.
multiOTP open source web interface (5.4.1.7) | |
Developer(s) | SysCo systèmes de communication sa |
---|---|
Initial release | 7 June 2010 |
Stable release | 5.4.1.7
/ 30 January 2019 |
Written in | PHP |
Operating system | Linux, Microsoft Windows |
Platform | IA-32, x86-64, ARM, Raspberry Pi |
Type | Strong two-factor OTP Authentication server |
License | LGPL |
Website | www |
QRcode is generated automatically when printing the user configuration page.
Overview
Spyware, viruses and other hacking technologies or bugs (like Heartbleed) are regularly used to obtain stolen passwords typed by the user. If a strong two factor authentication system is used, the stolen passwords cannot be stored and later used because each password (called OTP for One Time Passwords) is only valid for one authentication session and will fail if used a second time.
multiOTP is a PHP class library. The class can be used with any PHP application using a PHP version of 5.3.0 or higher. The multiOTP library is provided as an all-in-one self-contained file that requires no other includes. If the strong authentication needs to be done from a hardware device instead of an Internet application, a request will go through a RADIUS server which will call the multiOTP command line tool. The implementation is light enough in order to work on limited computers, such as the Raspberry Pi.
History
- Version 1.0.0 of 7 June 2010 was only a basic command line tool called otpauth, already written PHP. The tool has been renamed to multiotp in version 1.1.4 some days later in order to avoid confusion with another project with the same name.
- Version 2.0.0 of 19 July 2010 has been completely rewritten as a PHP class, and the command line tool became an implementation of the class. Under Windows operating systems, the command line tool exists as an executable file including in one file the source code and the PHP interpreter. This version received the phpclasses.org Innovation Award in August 2010.[1]
- Version 3.0.0 of 2 September 2010 allowed PSKC unencoded provisioning files import and the internal structure had been improved.
- Version 3.1.1 of 19 December 2010 allowed data storage in a MySQL backend database.
- Version 3.2.0 of 6 July 2011 allowed to authenticate with a generic account and by passing the specific user and the password in the password field (useful if the library is used with a Windows authentication which needs a specific user).
- Version 3.9.2 of 25 October 2011 is the version that was released for the workshop about integrating strong authentication in Internet applications. This workshop was presented during the Application Security Forum - Western Switzerland 2011 in Yverdon-les-Bains (Switzerland).[2] The library has also been used to validate and distribute[3] the seed of the tokens given by Feitian, the sponsor of the event. Each participant had to give an email address, a mobile phone number, a token serial number and the OTP code displayed on the token, than an encrypted email was sent to the participant and the encryption key was sent by SMS.
- Version 4.0.7 of 30 August 2013 added a lot of enhancements, like a client/server feature with a local cache storage of the definition files of the used tokens, a completely new implementation of the MySQL support (including database tables creation and update), CHAP authentication (in addition to PAP authentication), QRcode generation for direct provisioning in Google Authenticator, fast creation of a user in a single command, ...
- Version 4.0.9 of 22 September 2013 was an intermediate release that has been used to demonstrate the concept of strong authentication in several forums like a Rump Session during the Application Security Forum - Western Switzerland 2013 in Yverdon-les-Bains (Switzerland)[4] and 45 minutes talk during the Studerus Technology Forum (TEFO) 2013 in Zürich (Switzerland).[5]
- Version 4.1.0 of 23 December 2013 is OATH certified for HOTP and TOTP, which means full compatibility with certified hardware tokens, including encrypted PSKC provisioning files. This beta version has been used for a 30 minutes talk during the PasswordsCon 2013 in Bergen (Norway).[6] Instructions and all necessary files to build a strong authentication server device on a Raspberry Pi nano-computer are included. Self-registration of unattributed hardware tokens and automatic resync/unlock during authentication have also been added, and a basic web interface is now also available.
- Version 4.1.1 of 20 January 2014 provided some bug fixes and a better support of Microsoft Authenticator. Resyncing a token (using two consecutive OTP) didn't need the PIN code anymore.
- Version 4.2.0 of 7 February 2014 supported MS-CHAP and MS-CHAPv2 protocols.
- Version 4.2.1 of 14 February 2014 added Active Directory / LDAP support in order to create accounts based on users present in a particular group.
- Version 4.2.2 of 3 March 2014 provided an enhanced web interface in order to import hardware tokens, create accounts, synchronize tokens or unlock accounts. An extended support of TekRADIUS was added in order to send back some particular informations, which is useful for MS-CHAP or MS-CHAPv2 connections.
- Version 4.2.3 of 13 March 2014 fixed a bug with the send back to TekRADIUS.
- Version 4.2.4 of 30 March 2014 enhanced MySQL backend support and added mysqli support. Since this version, it is also possible to define in configuration file which fields must be encrypted or not. Some external classes have been updated or replaced, and a lot of new QA tests have been added, both for PHP class and command line versions.
- Version 4.2.4.1 of 6 April 2014 added NT_KEY support (for FreeRADIUS further handling, like VPN key generation). It is now also possible to import tokens based on a simple CSV file (serial_number;manufacturer;algorithm;seed;digits;interval_or_event). The new option -user-info has also been added, and some bug fixes have been done too.
- Version 4.2.4.2 of 13 April 2014 consolidated XML handling with one single library for the whole project. It also fixed a possible bug concerning tokens import based on a simple CSV file.
- Version 4.2.4.3 of 12 June 2014 fixed a bug with the SMS provider aspsms.
- Version 4.3.0.0 of 4 November 2014 added AD/LDAP password support (instead of static PIN only). It also added Yubico OTP, including keys import using the log file provided by the Yubico Personalization Tool. Synchronization of AD/LDAP users was completely redesigned. This version has been used the 4. November 2014 during a training of the Application Security Forum - Western Switzerland 2014 in Yverdon-les-Bains (Switzerland)[7]
- Version 4.3.1.0 of 9 December 2014 added a special CLI proxy in order to speed up the Raspberry Pi implementation. Generic LDAP support had been added (like Synology and every Linux based implementation). OTP with integrated serial number is now also better supported (in PAP). Starting with this version and if activated, the prefix PIN is also needed when using a scratch password. MULTIOTP_PATH environment variable is now supported in order to define where is the root of multiotp (if a specific implementation cannot detect correctly the root directory of multiotp).
- Version 4.3.1.1 of 15 December 2014 provided a better LDAP and AD support, handling more fields during synchronizations. The multiOTP project is now also available on GitHub.
- Version 4.3.2.2 of 9 June 2015 enhanced some ugly parts (!), added/adapted some default values, allowed the use of minus (-) in the password, enabled by default the autoresync option, handled better the resync during authentication (directly in the class), enabled by default the server cache and cleaned some log information.
- Version 4.3.2.3 of 10 June 2015 was the version presented during the Dev(Talks): 2015 in Bucharest (Romania).[8] This version contained some web GUI improvements.
- Version 4.3.2.4 of 24 June 2015 fixed a bug when special characters were used for scratch password generation. It also automatized the support of multi_account when synchronizing with AD/LDAP.
- Version 4.3.2.5 of 15 July 2015 changed the behavior of the CLI when it's called without parameter, returning now an error code (30) instead of an information (19). Ready to use virtual appliance is now provided in standard OVA format, with open-vm-tools integrated and also in Hyper-V format.
- Version 4.3.2.6 of 18 July 2015 added QRcode generation for mOTP (Mobile-OTP), and a new method is now implemented to read the data of a single user in an array.
- Version 5.0.2.5 of 16 October 2016 added better SSL support, ability to select a specific LDAP/AD attribute to synchronize the accounts, better MS-CHAPv2 support, better repeated password handling, YUbicoOTP private ID is now checked, SSL AD/LDAP compatibility with Windows 2012(R2), better AD/LDAP special chars support (RFC4515), new methods to implement asynchronous activities when data is modified in the backend.
- Version 5.0.2.6 of 4 November 2016 enhanced log messages, updated some external packages and adapted the backup configuration file format in order to be compatible with commercial edition.
- Version 5.0.3.0 of 14 November 2016 added Dial-In IP address support (including the synchronisation with the Active Directory msRADIUSFramedIPAddress attribute), enhanced token importation process with binary encryption key support.
- Version 5.0.3.4 of 26 January 2017 enhanced the AD/LDAP synchronisation process for huge AD/LDAP directories by using by default disk caching in the system temporary folder. Several CLI commands can now be done at once. Multiple groups per user is now supported (warning, not all devices support multiple group). The default proposed TOTP/HOTP generator is now FreeOTP (for Android/iOS). Multiple purpose tokens provisioning format PSKCV10 is now supported.
- Version 5.0.3.5 of 3 February 2017 fixed some bugs and add the GetUserInfo method.
- Version 5.0.3.6 of 21 February 2017 added the support of base32 and raw binary for SetUserTokenSeed and SetTokenSeed methods. The restoreCOnfiguration method has been updated.
- Version 5.0.3.7 of 23 February 2017 added some minor enhancements like trimming the group names and handling the Linux folder mode.
- Version 5.0.4.4 of 16 May 2017 enhanced the rejection policy with out incrementing the error counter for the same replayed token.
- Version 5.0.4.5 of 29 May 2017 added PostgreSQL support, based on source code provided by Frank van der Aa
- Version 5.0.4.6 of 2 June 2017 redefined with Linux the location of the config, devices, groups, tokens and users folders to be always located in /etc/multiotp/
- Version 5.0.4.8 of 6 June 2017 fixed SSL/TLS LDAP failed connection for PHP 7.x
- Version 5.0.4.9 of 7 July 2017 fixed some minor bugs and added some TLS configuration methods.
- Version 5.0.5.0 of 8 September 2017 removed the use of the nircmd.exe tool due to false virus detection
- Version 5.0.5.2 of 29 September 2017 defined the default mOTP generator for Android/iOS to OTP Authenticator
- Version 5.0.5.6 of 4 November 2017 enhanced the FreeRADIUS 3.x documentation and fixed some minor bugs
- Version 5.1.0.3 of 19 February 2018 added expired AD/LDAP password support and better unicode handling. Some enhancements for multiOTP Credential Provider (for Windows) has been done too.
- Version 5.1.0.8 of 5 March 2018 enhanced the multiOTP Credential Provider and it's now possible to use registry entries. It fix also the "receive an OTP by SMS" link for Windows 10
- Version 5.1.1.2 of 20 March 2018 provided the first Dockerfile to create a full multiOTP open source server docker
- Version 5.2.0.2 of 16 July 2018 enhanced AD/LDAP support for huge Active Directory, and added Users DN option (which is optional, otherwise Base DN is still used to search users)
- Version 5.3.0.0 of 21 August 2018 added multiple "Users DN" (separated by semicolumn) for AD/LDAP synchronization (with additional synchronization debug messages) and a new "without2FA" algorithm if some users just want the prefix password without tokens
- Version 5.3.0.1 of 22 August 2018 added some monitoring fields to have more information about the synchronization process
- Version 5.3.0.3 of 26 August 2018 fixed the restore process in command line edition and enhanced the client/server process
- Version 5.4.0.1 of 14 September 2018 fixed the compatibility mode of the Windows radius server component during installation
- Version 5.4.0.2 of 13 November 2018 enhanced import of PSKC definition files with binary decoding key file and added the support for several SMS provider (Swisscom LA REST, Afilnet, Clickatell2, eCall, Nexmo, NowSMS, SMSEagle and custom SMS)
- Version 5.4.1.1 of 7 January 2019 added Raspberry Pi 3B+ support
- Version 5.4.1.4 of 18 January 2019 added Debian 9.x (stretch) support
- Version 5.4.1.6 of 25 January 2019 fixed a NTP DHCP option problem
- Version 5.4.1.7 of 30 January 2019 changed the QRcode generation library and provided a new Raspberry Pi binary image ready to used for Raspberry Pi 1B/1B+/2B/3B/3B+
Features
For Windows, the multiOTP library is provided with a pre-configured RADIUS server (freeradius) which can be installed as a service. A pre-configured web service (based on mongoose) can also be installed as a service and is needed if we want to use the multiOTP library in a client/server configuration. Under Linux, the readme.txt file provided with the library indicates what should be done in order to configure the RADIUS server and the web service. All necessary files and instructions are also provided to make a strong authentication device using a Raspberry Pi nano-computer. Since version 4.3.2.5, ready to use virtual appliance is provided in standard OVA format, with open-vm-tools integrated and also in Hyper-V format. The client can strongly authenticate on an application or a device using different methods:
- software tokens (like Google Authenticator)
- hardware tokens (any OATH/HOTP and OATH/TOTP certified token, like NagraID tokens, and some other non-certified but compatible tokens, like Feitian C200 time based tokens)
- code sent per SMS (since version 4.0.4)
- scratch passwords list (since version 4.0.4)
- YubiKey in proprietary Yubico OTP mode (since version 4.3)
- without2FA for accounts that doesn't nedd strong authentication (since 5.3)
Standardization and normalization
multiOTP is OATH certified for HOTP and TOTP and supports currently the following algorithms and RFC's:
- HOTP, HMAC-Based One-Time Password Algorithm (RFC4226)
- TOTP, Time-Based One-Time Password Algorithm (RFC6238)
- Yubico OTP
- mOTP, Mobile-OTP, strong, two-factor authentication with mobile phones
- Google Authenticator (OATH/HOTP or OATH/TOTP, base32 seed, QRcode provisioning)
- SMS tokens (using aspsms, clickatell, intellisms, or even your own script)
- PSKC (Additional Portable Symmetric Key Container Algorithm Profiles) (RFC6030)
- CHAP (Challenge Handshake Authentication Protocol) (RFC1994)
- MS-CHAP (Microsoft PPP CHAP Extensions) (RFC2433)
- MS-CHAPv2 (Microsoft PPP CHAP Extensions, Version 2) (RFC2759)
- Syslog Protocol (client) (RFC5424)
- SMTP (Simple Mail Transfer Protocol) (RFC2821)
- SMTP Service Extension for Secure SMTP over TLS (RFC2487)
Scope of the class
The multiOTP class provides strong authentication functionalities and can be used in different strong authentication situations:
- adding a strong authentication in order to identify a user (to avoid static password)
- fixing a hardware token at a specific place, and be sure that somebody was there at a specific time (the token code displayed to the user at the specific time will give information about where it was displayed)
- authenticating a user by sending him a code through SMS, which will validate automatically the mobile phone number of the user.
- creating automatically strong authentication accounts for users present in a specific group of the Active Directory (or LDAP).
Several free projects use the library:
- Since November 2016, the multiOTP team provides an up-to-date Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016, with options like RDP only and UPN name support, called multiOTP Credential Provider,[9] based on the MultiOneTimePassword Credential Provider[10] created by Last Squirrel IT.
- ownCloud OTP[11] is a One Time Password app based on the multiOTP class that add strong authentication to the OwnCloud project, an open source Dropbox alternative.
- 2FA Credential Provider for Windows[12] is another strong authentication Credential Provider for Windows Login using the multiOTP library.
- The multiOTP class has been used as a learning tool in security demonstrations[13] and a Bachelor thesis[14]
See also
References
- "multiOTP PHP class: Authenticate and manage OTP strong user tokens". PHPclasses/Icontem. Retrieved 30 October 2013.
- "Application Security Forum - Western Switzerland 2011". Application Security Forum - Western Switzerland. Retrieved 30 October 2013.
- "ASF-WS 2011 Feitian token seed request". SysCo systèmes de communication sa. Retrieved 30 October 2013.
- "Application Security Forum - Western Switzerland 2013". Application Security Forum - Western Switzerland.
- "Studerus Technology Forum - TEFO'13". Studerus. Archived from the original on 2013-12-26. Retrieved 2013-12-25.
- "Passwords^13". PasswordsCon.
- "Application Security Forum - Western Switzerland 2014". Application Security Forum - Western Switzerland.
- "Dev(Talks): 2015". Catalyst (hipo.ro).
- "multiOTP Credential Provider". multiOTP team. Retrieved 1 February 2019.
- "MultiOneTimePassword Credential Provider". Last Squirrel IT. Retrieved 28 July 2015.
- "One Time Password Backend for ownCloud". apps.ownCloud.com Team. Retrieved 30 October 2013.
- "2FA Credential Provider for Windows". Fluid Technology Solutions Ltd. Archived from the original on 2 October 2013. Retrieved 30 October 2013.
- "Strong Authentication in Web Application - State of the Art 2011" (PDF). Compass Security AG. Retrieved 30 October 2013.
- "One-time passwords Bachelor thesis (in Czech)". University of Economics, Prague. Retrieved 30 October 2013.