multiOTP is an open source PHP class, a command line tool and a web interface that can be used to provide an operating system independent strong authentication system. multiOTP is OATH certified since version 4.1.0 and is developed under the LGPL license. Starting with version 220.127.116.11, multiOTP open source is also available as a virtual appliance - as a standard OVA file, a customized OVA file with open-vm-tools, and also as an Hyper-V downloadable file.
Spyware, viruses and other hacking technologies or bugs (like Heartbleed) are regularly used to obtain stolen passwords typed by the user. If a strong two factor authentication system is used, the stolen passwords cannot be stored and later used because each password (called OTP for One Time Passwords) is only valid for one authentication session and will fail if used a second time.
multiOTP is a PHP class library. The class can be used with any PHP application using a PHP version of 5.3.0 or higher. The multiOTP library is provided as an all-in-one self-contained file that requires no other includes. If the strong authentication needs to be done from a hardware device instead of an Internet application, a request will go through a RADIUS server which will call the multiOTP command line tool. The implementation is light enough in order to work on limited computers, such as the Raspberry Pi.
- Version 1.0.0 of the 7. June 2010 was only a basic command line tool called otpauth, already written PHP. The tool has been renamed to multiotp in version 1.1.4 some days later in order to avoid confusion with another project with the same name.
- Version 2.0.0 of 19. July 2010 has been completely rewritten as a PHP class, and the command line tool became an implementation of the class. Under Windows operating systems, the command line tool exists as an executable file including in one file the source code and the PHP interpreter. This version received the phpclasses.org Innovation Award in August 2010.
- Version 3.0.0 of 2. September 2010 allowed PSKC unencoded provisioning files import and the internal structure had been improved.
- Version 3.1.1 of 19. December 2010 allowed data storage in a MySQL backend database.
- Version 3.2.0 of 6. July 2011 allowed to authenticate with a generic account and by passing the specific user and the password in the password field (useful if the library is used with a Windows authentication which needs a specific user).
- Version 3.9.2 of 25. October 2011 is the version that was released for the workshop about integrating strong authentication in Internet applications. This workshop was presented during the Application Security Forum - Western Switzerland 2011 in Yverdon-les-Bains (Switzerland). The library has also been used to validate and distribute the seed of the tokens given by Feitian, the sponsor of the event. Each participant had to give an email address, a mobile phone number, a token serial number and the OTP code displayed on the token, than an encrypted email was sent to the participant and the encryption key was sent by SMS.
- Version 4.0.7 of 30. August 2013 added a lot of enhancements, like a client/server feature with a local cache storage of the definition files of the used tokens, a completely new implementation of the MySQL support (including database tables creation and update), CHAP authentication (in addition to PAP authentication), QRcode generation for direct provisioning in Google Authenticator, fast creation of a user in a single command, ...
- Version 4.0.9 of 22. September 2013 was an intermediate release that has been used to demonstrate the concept of strong authentication in several forums like a Rump Session during the Application Security Forum - Western Switzerland 2013 in Yverdon-les-Bains (Switzerland) and 45 minutes talk during the Studerus Technology Forum (TEFO) 2013 in Zürich (Switzerland).
- Version 4.1.0 of 23. December 2013 is OATH certified for HOTP and TOTP, which means full compatibility with certified hardware tokens, including encrypted PSKC provisioning files. This beta version has been used for a 30 minutes talk during the PasswordsCon 2013 in Bergen (Norway). Instructions and all necessary files to build a strong authentication server device on a Raspberry Pi nano-computer are included. Self-registration of unattributed hardware tokens and automatic resync/unlock during authentication have also been added, and a basic web interface is now also available.
- Version 4.1.1 of 20. January 2014 provided some bug fixes and a better support of Microsoft Authenticator. Resyncing a token (using two consecutive OTP) didn't need the PIN code anymore.
- Version 4.2.0 of 7. February 2014 supported MS-CHAP and MS-CHAPv2 protocols.
- Version 4.2.1 of 14. February 2014 added Active Directory / LDAP support in order to create accounts based on users present in a particular group.
- Version 4.2.2 of 3. March 2014 provided an enhanced web interface in order to import hardware tokens, create accounts, synchronize tokens or unlock accounts. An extended support of TekRADIUS was added in order to send back some particular informations, which is useful for MS-CHAP or MS-CHAPv2 connections.
- Version 4.2.3 of 13. March 2014 fixed a bug with the send back to TekRADIUS.
- Version 4.2.4 of 30. March 2014 enhanced MySQL backend support and added mysqli support. Since this version, it is also possible to define in configuration file which fields must be encrypted or not. Some external classes have been updated or replaced, and a lot of new QA tests have been added, both for PHP class and command line versions.
- Version 18.104.22.168 of 6. April 2014 added NT_KEY support (for FreeRADIUS further handling, like VPN key generation). It is now also possible to import tokens based on a simple CSV file (serial_number;manufacturer;algorithm;seed;digits;interval_or_event). The new option -user-info has also been added, and some bug fixes have been done too.
- Version 22.214.171.124 of 13. April 2014 consolidated XML handling with one single library for the whole project. It also fixed a possible bug concerning tokens import based on a simple CSV file.
- Version 126.96.36.199 of 12. June 2014 fixed a bug with the SMS provider aspsms.
- Version 188.8.131.52 of 4. November 2014 added AD/LDAP password support (instead of static PIN only). It also added Yubico OTP, including keys import using the log file provided by the Yubico Personalization Tool. Synchronization of AD/LDAP users was completely redesigned. This version has been used the 4. November 2014 during a training of the Application Security Forum - Western Switzerland 2014 in Yverdon-les-Bains (Switzerland)
- Version 184.108.40.206 of 9. December 2014 added a special CLI proxy in order to speed up the Raspberry Pi implementation. Generic LDAP support had been added (like Synology and every Linux based implementation). OTP with integrated serial number is now also better supported (in PAP). Starting with this version and if activated, the prefix PIN is also needed when using a scratch password. MULTIOTP_PATH environment variable is now supported in order to define where is the root of multiotp (if a specific implementation cannot detect correctly the root directory of multiotp).
- Version 220.127.116.11 of 15. December 2014 provided a better LDAP and AD support, handling more fields during synchronizations. The multiOTP project is now also available on GitHub.
- Version 18.104.22.168 of 9. June 2015 enhanced some ugly parts (!), added/adapted some default values, allowed the use of minus (-) in the password, enabled by default the autoresync option, handled better the resync during authentication (directly in the class), enabled by default the server cache and cleaned some log information.
- Version 22.214.171.124 of 10. June 2015 was the version presented during the Dev(Talks): 2015 in Bucharest (Romania). This version contained some web GUI improvements.
- Version 126.96.36.199 of 24. June 2015 fixed a bug when special characters were used for scratch password generation. It also automatized the support of multi_account when synchronizing with AD/LDAP.
- Version 188.8.131.52 of 15. July 2015 changed the behavior of the CLI when it's called without parameter, returning now an error code (30) instead of an information (19). Ready to use virtual appliance is now provided in standard OVA format, with open-vm-tools integrated and also in Hyper-V format.
- Version 184.108.40.206 of 18. July 2015 added QRcode generation for mOTP (Mobile-OTP), and a new method is now implemented to read the data of a single user in an array.
- Version 220.127.116.11 of 16. October 2016 added better SSL support, ability to select a specific LDAP/AD attribute to synchronize the accounts, better MS-CHAPv2 support, better repeated password handling, YUbicoOTP private ID is now checked, SSL AD/LDAP compatibility with Windows 2012(R2), better AD/LDAP special chars support (RFC4515), new methods to implement asynchronous activities when data is modified in the backend.
- Version 18.104.22.168 of 4. November 2016 enhanced log messages, updated some external packages and adapted the backup configuration file format in order to be compatible with commercial edition.
- Version 22.214.171.124 of 14. November 2016 added Dial-In IP address support (including the synchronisation with the Active Directory msRADIUSFramedIPAddress attribute), enhanced token importation process with binary encryption key support.
- Version 126.96.36.199 (currently in beta) enhanced the AD/LDAP synchronisation process for huge AD/LDAP directories by using by default disk caching in the system temporary folder.
For Windows, the multiOTP library is provided with a pre-configured RADIUS server (freeradius) which can be installed as a service. A pre-configured web service (based on mongoose) can also be installed as a service and is needed if we want to use the multiOTP library in a client/server configuration. Under Linux, the readme.txt file provided with the library indicates what should be done in order to configure the RADIUS server and the web service. All necessary files and instructions are also provided to make a strong authentication device using a Raspberry Pi nano-computer. Since version 188.8.131.52, ready to use virtual appliance is provided in standard OVA format, with open-vm-tools integrated and also in Hyper-V format. The client can strongly authenticate on an application or a device using different methods:
- software tokens (like Google Authenticator)
- hardware tokens (any OATH/HOTP and OATH/TOTP certified token, like NagraID tokens, and some other non-certified but compatible tokens, like Feitian C200 time based tokens)
- code sent per SMS (since version 4.0.4)
- scratch passwords list (since version 4.0.4)
- YubiKey in proprietary Yubico OTP mode (since version 4.3)
Standardization and normalization
multiOTP is OATH certified for HOTP and TOTP and supports currently the following algorithms and RFC's:
- HOTP, HMAC-Based One-Time Password Algorithm (RFC4226)
- TOTP, Time-Based One-Time Password Algorithm (RFC6238)
- Yubico OTP
- mOTP, Mobile-OTP, strong, two-factor authentication with mobile phones
- Google Authenticator (OATH/HOTP or OATH/TOTP, base32 seed, QRcode provisioning)
- SMS tokens (using aspsms, clickatell, intellisms, or even your own script)
- PSKC (Additional Portable Symmetric Key Container Algorithm Profiles) (RFC6030)
- CHAP (Challenge Handshake Authentication Protocol) (RFC1994)
- MS-CHAP (Microsoft PPP CHAP Extensions) (RFC2433)
- MS-CHAPv2 (Microsoft PPP CHAP Extensions, Version 2) (RFC2759)
- Syslog Protocol (client) (RFC5424)
- SMTP (Simple Mail Transfer Protocol) (RFC2821)
- SMTP Service Extension for Secure SMTP over TLS (RFC2487)
Scope of the class
The multiOTP class provides strong authentication functionalities and can be used in different strong authentication situations:
- adding a strong authentication in order to identify a user (to avoid static password)
- fixing a hardware token at a specific place, and be sure that somebody was there at a specific time (the token code displayed to the user at the specific time will give information about where it was displayed)
- authenticating a user by sending him a code through SMS, which will validate automatically the mobile phone number of the user.
- creating automatically strong authentication accounts for users present in a specific group of the Active Directory (or LDAP).
Several free projects use the library:
- Last Squirrel IT is using the multiOTP class to propose a free and open source strong authentication Credential Provider for Windows Login called MultiOneTimePassword Crendential Provider.
- ownCloud OTP is a One Time Password app based on the multiOTP class that add strong authentication to the OwnCloud project, an open source Dropbox alternative.
- 2FA Credential Provider for Windows is another strong authentication Credential Provider for Windows Login using the multiOTP library.
- The multiOTP class has been used as a learning tool in security demonstrations and a Bachelor thesis