KeyIdentity LinOTP 2.10.1 released

On October 17th we released LinOTP 2.10.1 to the repositories.

LinOTP 2.10.1

KeyIdentity GmbH is pleased to announce the availability of the following product release:

LinOTP 2.10.1 introduces many improvements, new features, cleanups and bug fixes. The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • New Feature: RestSMSProvider

This new SMSProvider enables LinOTP to submit SMS to any SMS Provider (e.g. CLX Communication) with a support for REST API based on a JSON payload. Details about the configuration can be found here: http://linotp.org/doc/latest/part-management/smsprovider.html#restsmsprovider http://linotp.org/doc/latest/part-management/smsprovider.html#id4

Download

LinOTP 2.10.1 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10.1 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

The KeyIdentity LinOTP team

--
KeyIdentity GmbH
https://www.keyidentity.com
Robert-Koch-Straße 9, 64331 Weiterstadt
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@keyidentity.com
Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Board of Directors: Nils Manegold, Dr. Amir Alsbih

Changelog LinOTP 2.10.1


Server changes:
  • Server: LDAPUserIdResolver failover: stay with working LDAP-Servers for an incrementing time before retry connecting the first server
  • Server: Add charset/collate clauses to database generation commands: ensures compatibility with recent versions of MariaDB
  • Server: New policy 'forward_on_no_token' to support forwarding of request to remote server if user has no token
  • Server: Allow configuration of the challenge prompt via system/setConfig?SMS_CHALLENGE_PROMPT=MESSAGE
  • Server: New policy 'enforce_smstext' to ignore request param data
  • Server: Support to configure HTTP headers in Rest SMS Provider
API changes:
  • API: Show token enrollment status in userservice/usertokenlist
  • API: Support check_status without user parameter
Web UI changes:
  • Web UI: Add timezone entry to token info dialog
  • Web UI: Update visuals for manage token info
Selfservice changes:
  • Selfservice Portal: Support optional landing page for selfservice portal
  • Selfservice Portal: Show token description in selfservice portal
Bug Fixes:
  • Server: Fix LDAPUserIdResolver failover
  • Server: Search token list with userPrincipalName
  • Server: Fix RADIUS Forward Token
  • Server: otppin=ignore_pin now works alternatively to otppin=3
  • Server: LinOTP server now handles forward proxy definition correctly
  • Server: Fix storing of timeout tuples within the DefaultPushProvider
  • Server: Fix backend for setExpiration UI dialog which failed in some cases
  • Server: Provide error message if update of a license key was failing
  • Server: Set default time zone to make time based tokens work in all setups
  • Server: Support for SQLUserIdResolvers where the user id is defined as int. This fixes actions in the selfservice portal.
  • Web UI: Default for splitAtSign is now correctly displayed in the UI
more ...
Date

KeyIdentity LinOTP 2.10 released

On January 15th we released LinOTP 2.10 to the repositories.

LinOTP 2.10

KeyIdentity GmbH is pleased to announce the availability of the following product release:

LinOTP 2.10 introduces many improvements, new features, cleanups and bug fixes. The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter.

The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter

Highlights

  • New Feature: Voice Token

LinOTP 2.10 is the first release to include support for Voice Tokens. Thus, in addition to the already known challenge response token (e.g. KeyIdentity's Push Token, SMS Token), provides another barrier-free possibility to deliver OTP to users.

Currently Twilio is supported as Voice Token Provider. The Voice Token requies a dedicated Voice Challenge Service which is made available to customers by KeyIdentity GmbH. Documentation for the Voice Token can be found here: Voice Token.

Details about the Voice Challenge Service can be obtained from support@keyidentity.com.

  • New Feature: Securing the Selfservice Portal with MFA

The Selfservice Portal can be additionally protected with MFA. This is particularly useful for environments where the Selfservice Portal stands exposed to the Internet. The MFA feature is configureable and allows the retention of existing workflows with addtional security.

Details can be found here: MFA Selfservice Portal.

  • Improvements: KeyIdentity Push Token

LinOTP 2.10 improves the functionality of KeyIdentity's Push Token. A dedicated Challenge Service is introduced. This service allows the separation of the external communication with the user's mobile and the sensitive data stored in LinOTP. The updated KeyIdentity Authenticator Apps for iOS and Android can now actively query existing challenges of the user. Thus makes transaction validation more reliable. The Challenge Service and comprehensive documentation are provided by the KeyIdentity GmbH and can be obtained from support@keyidentity.com.

  • Token Validity

Number of uses and the expiry date of tokens can be limited. Starting with LinOTP 2.10 these limits can be configured conveniently via WEB GUI (token management) - e.g. by the help desk personnel. This is useful, for example, to enroll temporary tokens for visitors. More information can be found here: Token Validity.

Download

LinOTP 2.10 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@keyidentity.com

The KeyIdentity LinOTP team

--
KeyIdentity GmbH
https://www.keyidentity.com
Robert-Koch-Straße 9, 64331 Weiterstadt
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@keyidentity.com
Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Board of Directors: Nils Manegold, Dr. Amir Alsbih


Changelog LinOTP 2.10

Token Changes:
  • Introduce new token: Voice Token
  • Enhance Push Token (incompatible with previous Push Token version)
Server Changes:
  • Adjust default transactionId length to 17
  • Implement explicit-deny for push token
  • Add token type specific enrollment limits
  • Support loading provider via configuartion in linotp.ini
  • Enable new policy engine by default
  • Moved tokens to new location in src tree
  • Support shorter lost token duration (days, hours, and minutes added)
  • Autoassign a token if a request arrives with only username (without password)
  • Document the otppin policy 3 (ignore_pin) in the policy UI
  • Removed IE compatibility mode from templates
  • Take the already stored mobile number of a token owner (available from UserIdResolver) if it exists, otherwise take the number stored in the token info
  • Autoassignment without password
  • OATH csv import with sha256 + sha512
Web UI Changes:
  • Add Auth Demo pages for challenge-response and push token
  • /auth/challenge-response
  • /auth/pushtoken
  • Add expiration dialog for tokens
  • Refactor dialog button icon generation
  • Performance improvement by removing mouseover effects on Manage-UI
  • Extract custom form validators into separate files
  • Removed IE compatibility mode from templates
  • Update favicon to follow company rename
  • Add UI in manage and Selfservice for "static password" token
  • Improved Selfservice login with MFA support
Bug Fixes:
  • Server: Fix evaluation of forward policy to match most specific user definition
  • Server: Fix password comparison of password token
  • Server: Adjust location of token makos for translation
  • Server: Fix typo in getUserFromRequest in case of basic auth
  • Server: Fix missing 'serial' for audit and policy check in selfservice.enroll
  • Server: Fix for loading active token modules
  • Server: On LDAP test connection always close dialog
  • Server: Fix encoding error that prevented Token View from being displayed in the web interface.
  • Server: Fix challenge validation to check only one request at a time. Prevent (positive) double authentication with the same transaction ID and OTP.
    This used to happen when a user submitted the OTP for a transaction ID more than once within a very short timeframe
  • Server: Fix for missing LDAP uft-8 conversion
  • Server: Fix default hash algorithm. This was causing issues in the YubiKey import
  • Server: Fix wrong audit log entries where "failcounter exceeded" was incorrectly being replaced with "no token found"
  • Server: Fix QRToken to use the tan length defined at enrollment
  • Server: Fix password and lost token password comparison
  • Server: Fix to show deactivated policies in Manage UI again.
  • Server: Fix for better user/owner comparison
  • Server: Fix to show inactive policies
  • Server: Fix import of policies with empty realm
  • Server: Verify that only active policies are used
  • Server: Fix for policy export to export inactive too
  • Server: Fix for target realm handling on token import
  • Server: Fix select only active policies for admin policies
  • Server: Fix getResolverClassName
  • Web UI: Fix UI crash check if backend response is array in ldap testconnection
  • Selfservice: Fix QR token enrollment and activation
more ...

KeyIdentity LinOTP 2.9.1 released

On February 15th we released LinOTP 2.9.1 to the repositories.

LinOTP 2.9.1

KeyIdentity GmbH is pleased to announce the availability of the following product release:

LinOTP 2.9.1 introduces many improvements, small features, cleanups and bug fixes. The highlights are the implementation of the KeyIdentity Push Token, a new caching functionality to significantly speed up performance for UserIdResolvers and the switch to StartTLS by default to improve the connection security to LDAP UserIdResolvers.

The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter

Highlights

  • New Feature: KeyIdentity Push Token

LinOTP 2.9.1 is the first release to include support for the KeyIdentity Push Token to secure logins and transactions while providing a high level of usability on Android and iOS.
Based on the established cryptographic principles of the QRToken we improved the workflows of the authentication process while conserving a high level of security. It utilizes the native push mechanisms of Android and iOS for the highest level of compatibility based on the KeyIdentity Authenticator.

Please contact us for more information and about details on how to integrate the KeyIdentity Push Token in your setup.

  • New Feature: Caching for LDAP UserIdResolvers

The new caching feature is designed to improve the performance of LinOTP significantly in environments with a large number of users, complex realm setups and slow UserIdResolvers. Details about the configuration can be found at Caching-Feature.

  • New Feature: StartTLS by default

LinOTP 2.9.1 switches to StartTLS by default in order to secure the communication with LDAP UserIdResolvers in environments without a LDAPS infrastructure. Please have a look at StartTLS for details.

Download

LinOTP 2.9.1 is available as Debian and RPM packages from www.linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.9.1 via the integrated auto-update mechanism after February 20th 2017.

Note

With LinOTP 2.9.1 large parts of the LDAP UserIdResolver code was rewritten and the default for StartTLS have changed. Although LinOTP 2.9.1 has been tested thoroughly by KeyIdentity we recommend to setup LinOTP 2.9.1 in a staging environment before putting it into production.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at keyidentity@keyidentity.com

The KeyIdentity LinOTP team


Changelog LinOTP 2.9.1

Enhancements
  • Server: New token type: KeyIdentity PushToken
  • Server: Add optional caching of resolver lookups
  • Server: Show welcome and update screens
  • WebUI: Add dialog for duplicating resolvers
  • WebUI: Better password handling in resolver dialogs
  • Reporting: Add paging and CSV output for reporting/show
  • API: Use semicolon as CSV column separator by default
  • UserIdResolver: Add StartTLS support
Bug Fixes
  • Server: Fix remote token
  • Server: Fix evaluating policies for non-existent realms
  • API: Don't localize monitoring json output
  • SMPPSMSProvider: Fix encoding issues for non-ascii characters
  • WebUI: Alert in realm dialog if no resolvers are selected
more ...
Date

Hackathon 2FA

Wissenschaft und Praxis zeigen: Passwörter taugen nichts! Im Gegenteil, sie stellen eine der Hauptursachen für die erfolgreiche Kompromittierung von Benutzerkonten oder ganzen Systemen dar. Benutzer wählen oft schwache Passwörter, Cracker greifen komplette Benutzer-Datenbanken ab, die möglicherweise gar nicht oder ungeschickt verschlüsselte Passwörter enthalten, und Schadsoftware, die auch das beste Passwort mitschneidet, wird immer ausgefeilter. Auch Phishing, vor allem gezieltes „Spear-Phishing“, ist ein großes Problem in der Praxis.

Unsere Antwort bei der KeyIdentity GmbH ist LinOTP. LinOTP (https://linotp.org) ist eine leistungsfähige und flexible Open-Source-Lösung für Zwei-Faktor-Authentifizierung, mit der traditionelle Passwörter durch weitere Mechanismen ersetzt oder ergänzt werden können. Dazu gehören zum Beispiel Hardware-Tokens oder Authentifizierungslösungen auf der Basis von mobilen Apps. LinOTP bietet ein bequemes API zur Integration in existierende Applikationen.

Wir wissen: Authentifizierung muss sicherer werden. Aus diesem Grund veranstalten wir einen Hackathon, bei dem Ihr mit LinOTP die Sicherheit Eurer Applikationen erhöhen könnt. Vernetzt Euch mit anderen, und lasst uns gemeinsam unsere Applikationen sicherer machen und das Paradigma „Such Dir ein möglichst komplexes Passwort, das Du Dir nicht merken kannst, und schreib es nirgends auf“ brechen.

Wir laden am 3.12.2016 zu uns in die Räumlichkeiten der KeyIdentity GmbH in Weiterstadt ein, stellen Pizza und Getränke und helfen euch dabei, LinOTP über die API in Eure Software zu integrieren.

Lernt, wie einfach es ist, Eure Applikationen abzusichern, erhaltet freie Hilfe, vernetzt Euch untereinander und habt einfach einen tollen Tag! Zur besseren Planung bitten wir um eine Anmeldung via E-Mail unter: hackathon@keyidentity.com

more ...
Date

LSE LinOTP 2.9 released

On August 15th we released LinOTP 2.9 to the repositories.

LinOTP 2.9

LSE Leading Security Experts GmbH is pleased to announce the availability of LinOTP 2.9.

LinOTP 2.9 is one of our biggest releases with over 500 commits. Introducing many improvements, small features, cleanups and fixed bugs. The highlights are the preparation for the offline authentication, utilizing our new QRToken, the new Reporting API and the extended SMS and E-Mail Provider configuration.

Highlights

  • New Feature: Offline Authentication

LinOTP 2.9 introduces the next generation of our QR-Code based soft token, which will be complemented by the releases of our LinOTP Authentication Providers for operating system Microsoft Windows and LinOTP mobile apps in the next weeks to allow for an integrated and secure Offline Authentication with high usability in addition to the traditional secure, transaction based authentication.

  • New Feature: Reporting API

To allow for integration into reporting environments and to simplify the accounting in multi-tenant environments LinOTP provides a new powerful reporting API to collect information like the number of current active tokens and the highest number of tokens over time for certain realms.

  • New Feature: Realm specific SMS Providers

LinOTP 2.9 supports the management of multiple SMS and e-mail providers. These providers allow to specify SMS or e-mail settings for different customers, realms or users in a diverse LinOTP environment.

Download

LinOTP 2.9 is available as Debian and RPM packages from linotp.org. Ubuntu packages are available from our PPA on Launchpad. Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.9 via the integrated auto-update mechanism after August 16th 2016.

The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.3 and assist upgrading your environment to the latest release at support@lsexperts.de

The LSE LinOTP team


Changelog LinOTP 2.9

Enhancements
  • Server: Add support for offline authentication
  • Server: Add QRToken
  • Server: Add forwarding token
  • Server: Add reporting controller
  • Server: Add support for multiple SMS/e-mail providers
  • Server: Add support for long config values
  • Server: Add issuer label to OATH tokens
  • Server: Allow one-time simplepass tokens
  • Server: Allow multiple users with same username in one realm
  • Server: Support migration of resolvers for assigned tokens
  • Server: Add authorization policies for monitoring controller
  • Server: Allow named otppin policies ('token_pin', 'password' and 'only_otp')
  • Server: Add SSL/TLS abilities to SMTPSMSProvider
  • UserIDResolver: Add class registry and class aliases
  • WebUI: Slightly polished look and feel
Bug Fixes
  • WebUI: Hide 'Get OTP' button if getotp is deactivated in config
  • WebUI: Several bug fixes in different dialogs and elements
  • Server: Fix generating transactionids which failed in rare circumstances
  • Server: Handle timestamp rounding instead of truncating in MySQL 5.6
  • Server: Do not copy old PIN on lost simplepass token
  • Packaging: Remove debconf entry 'linotp/generate_enckey'
  • WebUI: Validate resolver configuration on resolver definition
  • WebUI: Alert in realm dialog if no resolvers are selected
more ...
Date

LSE LinOTP 2.8.1.3 released

On July 30th we released LinOTP 2.8.1.3 to the repositories.

LinOTP 2.8.1.3

LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1.3, the latest patch release of its vendor independent solution for adaptive multi-factor and 2-factor authentication.

Download

LinOTP 2.8.1.3 is available as a Debian and RPM (Red Hat/CentOS) packages from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1.3 via the integrated update mechanism.

The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.3 and assist upgrading your environment to the latest release at support@lsexperts.de

The LSE LinOTP team

--
LSE Leading Security Experts GmbH
Robert-Koch-Straße 9, 64331 Weiterstadt, DE
Sales Hotline: +49 6151 86086-277, Fax: -299
Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther

Changelog:

LinOTP:

  • Server: Fix pin handling in email token
  • more ...
    Date

    LSE LinOTP 2.8.1.2 released

    On July 21th we released LinOTP 2.8.1.2 to the repositories.

    LinOTP 2.8.1.2

    LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1.2, the latest patch release of its vendor independent solution for adaptive multi-factor and 2-factor authentication.

    Download

    LinOTP 2.8.1.2 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1.2 via the integrated update mechanism.

    The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1.2 and assist upgrading your environment to the latest release at support@lsexperts.de

    The LSE LinOTP team

    --
    LSE Leading Security Experts GmbH
    Robert-Koch-Straße 9, 64331 Weiterstadt, DE
    Sales Hotline: +49 6151 86086-277, Fax: -299
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther

    Changelog:

    LinOTP:

    Enhancements:

    • Server: Add support for demo licenses

    Bug Fixes:

    • Selfservice: Fix setting tokenlabels
    • Server: Set the first created realm as default realm
    • Server: Fix admin/show using a serial number and an active admin policy containing a wildcard
    • Server: Fix import of policies missing scope or action
    • Server: Fix license import using IE
    • Server: Fix license decline under certain conditions (available since 2.8.1.1)
    more ...
    Date

    LSE LinOTP 2.8.1 released

    On Apr 5th we released LinOTP 2.8.1 to the repositories.

    LinOTP 2.8.1

    LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1, the latest version of its vendor independent solution for adaptive multi-factor and 2-factor authentication and OTP processes (OTP: one time passwords). LSE is now offering its latest LinOTP version in Spanish, French, Italian, and simplified Chinese in addition to the previously available English and German. In addition to the expanded available languages, LinOTP 2.8.1 has new features for monitoring and improved capabilities for server migration and complex setups. The improved user filters and support for HSM (hardware security module) migrations are also new. With the additional languages, LSE has consistently continued to internationalise the LinOTP product line. The larger selection of available languages applies to both the self-service user portal as well as the management interfaces.

    Highlights:

    • New Feature: Additional Languages

    LSE has consistently continued to internationalise the LinOTP product line. The larger selection of available languages applies to both the self-service user portal as well as the management interfaces.

    • New Feature: Monitoring

    LSE is introducing a new API for monitoring internal LinOTP processes with LinOTP 2.8.1. This provides, for example, information on the statistics and the status of the tokens, the status of the HSM (hardware security module) encoding, and the status of the UserIDResolver with configurable permissions.

    • New Feature: Improved User Filters

    Today's enterprise environments require a differentiated approach to user policy management. LinOTP 2.8.1 adds options for managing the configurations and policies based on user groups, user attributes, and regular expressions. This considerably simplifies detailed and complex permission scenarios in the setup.

    • New Feature: SMPPSMSProvider

    LinOTP now supports SMPP protocol for submitting text messages to Short Message Service centers (SMSC).

    • New Feature: Improved Features for Server Migration and Complex Setups

    Previous features for routing registration data to other authentication servers have been improved with options for generic routing. This means migration scenarios and complex setups with multiple LinOTP instances are easier to model and administer.

    In addition to these features, LinOTP 2.8.1 includes many further improvements and bug fixes in order to improve the user experience.

    Download

    LinOTP 2.8.1 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8.1 via the integrated update mechanism.

    The LSE team would be pleased to answer any questions you may have about LinOTP 2.8.1 and assist upgrading your environment to the latest release at support@lsexperts.de

    The LSE LinOTP team

    --
    LSE Leading Security Experts GmbH
    P.O. Box 100121, 64201 Darmstadt
    Sales Hotline: +49 6151 86086-277, Fax: -299
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther

    Changelog:

    LinOTP:

    Enhancements:

    • Server: Add monitoring controller
    • Server: Add support for encryption migration (HSM)
    • Server: Add 'forward to server' policy
    • Server: Extended user filter in policies
    • Server: Reduce number of userid authentication calls
    • Server: Enable less services in default configuration
    • WebUI: Update jQuery, jQuery UI and jed

    Bug fixes:

    • Selfservice: Fix access to userservice with UTF-8 characters
    • WebUI: IE11: Deliver requested language
    • WebUI: Support for IE11 logout and cookie deletion

    UserIdResolver:

    • SQL: Add support for ASP.NET hashes

    SMSProvider:

    • Add support for SMPP SMS Provider

    libpam-linotp:

    Enhancements:

    • Major code rewrite
    • Add support for custom CA certificates
    • Improve compatibility with multiple Linux distributions, freeBSD and OS X
    more ...
    Date

    LSE LinOTP 2.8 released

    On Nov 27th we released LinOTP 2.8 to the repositories.

    LinOTP 2.8

    LSE Leading Security Experts GmbH is pleased to announce the availability of the following product release:

    LinOTP 2.8 contains full support for the FIDO U2F standard, along with additional new features, usability improvements and bug fixes.

    The list below provides details of the most important changes. The complete changelog is provided at the end of this article.

    Highlights:

    • New feature: FIDO U2F support
    LinOTP 2.8 now fully supports the FIDO alliance U2F protocol. It is now possible to use user friendly U2F tokens provided by various manufacturers in order to implement the second authentication factor. By using public key techniques, It is now possible to use just one token to access multiple authentication systems. In addition, it is possible to implement Bring Your Own Token (BYOT) scenarios.
    • New feature: User enrollment of FIDO U2F, email and SMS tokens via the self service portal
    In order to simplify the rollout process, it is now possible to allow users to use the self service portal to enroll new token types (FIDO U2F, email and SMS) in addition to those previously available. As with other token types, access to these new types is under the control of the LinOTP administrator via the policy system.
    • New feature: Temporary email and SMS token
    If a token is lost or stolen, it is now possible to define a temporary email or SMS token instead of a temporary password.
    • New feature: More than one challenge response token per user with identical token PIN
    The API in LinOTP 2.8 supports generation of more than one challenge for various tokens and token types. This now makes it possible to use different challenge response tokens with the same token PIN. It is also possible to use different challenge response token types with identical token PINs.
    • Improvements and bug fixes

    In addition to these features, LinOTP 2.8 includes many further improvements and bug fixes in order to improve the user experience.

    Download

    LinOTP 2.8 is available as a Debian package from linotp.org. Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8 via the integrated update mechanism.

    The LSE team would be pleased to answer any questions you may have about LinOTP 2.8 and assist upgrading your environment to the latest release at support@lsexperts.de

    The LSE LinOTP team

    --
    LSE Leading Security Experts GmbH
    P.O. Box 100121, 64201 Darmstadt
    Sales Hotline: +49 6151 86086-277, Fax: -299
    Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
    Board of Directors: Nils Manegold, Oliver Michel, Sven Walther

    Changelog:

    LinOTP:

    Enhancements:

    • Server: Add FIDO U2F support
    • Selfservice: Enroll FIDO U2F, e-mail and SMS tokens
    • Server: Losttoken: Support enrollment of e-mail and SMS tokens
    • Server: Trigger challenges for multiple challenge-response tokens with one request
    • Server: Support autoassignment policy without action value

    Bug fixes:

    • Selfservice: Fix getSerialByOtp functionality for yubikey tokens
    • Server: Fix importing yubikey tokens without prefix
    • Server: Fix autoassignment with remote token pointing at yubikey token
    • Server: Fix autoassignment using tokens with different OTP lengths
    • Server: Prevent counter increments of inactive tokens
    • Server: Don't return counter parameter on TOTP enrollment
    • Selfservice: Fix occasional login problems using non-ASCII characters
    • Server: Fix occasional problems sorting userlist with unicode characters
    • Server: Fix usage of otppin policy for remotetoken with local pincheck
    • Server: Don't return error messages on unconfigured autoenrollment
    • Server: Always set OTP length in remote token enrollment
    • Server: Don't return error messages for policy otppin=1 and unassigned tokens
    • Server: Reply to OCRA2 challenge providing only transactionid and OTP
    • WebUI: Don't show dialog asking for realm creation if no useridresolver is configured
    • WebUI: Fix WebUI for recent Internet Explorer versions
    • WebUI: Clear key and PIN input fields after token enrollment
    • Tools: linotp-create-pwidresolver-user: Fix duplicate and ignored command-line arguments
    • Tools: Correctly package linotp-enroll-smstoken tool
    • Tools: Use Digest instead of Basic Authentication in linotp-enroll-smstoken
    • Tools: Display an error message in linotp-enroll-smstoken when dependencies are missing
    • Tools: Fix linotp-sql-janitor crash when executed without --export option
    • Server: Fix for wildcard search with available unassigned tokens
    • Server: Fix LinOTP on pylons 0.9.7
    • Packaging: Remove nose dependency from linotp install process

    UserIdResolver:

    • Add support for Unicode passwords in PasswdIdResolver
    • Add LDAP proxy support
    • Support for LDAP cursoring during fetch of userlist
    • Add support for odbc_connect in SQLIdResolver

    SMSProvider:

    • Encode spaces in request params as '%20', not as '+'
    • Fix GET requests using the requests library
    • Add ability to convert the phone number to MSISDN format
    more ...
    Date

    LSE LinOTP Hotfix / Security Advisory

    LSE Leading Security Experts GmbH recommend the application of the hotfix described below in oder to ensure secure operation with LinOTP. It is only necessary to carry out these steps on those installations which do not use automatic update mechanisms (see below under "LSE LinOTP Smart Virtual Appliance"). Users of automatic update mechansims are not affected, as LinOTP will already have been updated.

    The hotfix closes a critical issue and prevents potential misuse.

    This issue can potentially allow an unauthorised user to submit input containing unwanted characters, that is written to LinOTP's logs and database. At a later date under certian conditions, it is possible that these could be executed under admin context. It is possible that malicious code could be exected as a result. This is due to unescaped output being passed to a widget used by LinOTP.

    A security advisory has been released for our product LinOTP containing further details. We would especially like to thank Tomas Rzepka for his valued input and assistance.

    As far as we are aware, there have not been any cases of this issue being exploited.

    We have provided the hotfix to our customer in various formats and versions. The fixed packages do not contain any changes apart from the hotfix itself. We recommend applying this update as soon as possible.

    Please use the instructions provided below to install the hotfix.

    In future versions of LinOTP (2.8 and above), we will make changes to reduce the potential risk of similar issues through use of the API.

    Hotfix installation

    The following updated LinOTP versions are available:

    The installation instructions contain download links.

    Systems prior to LinOTP 2.6 or which do not use packages should refer to the installation instructions. In this case the fix should be applied by manually copying a fixed version of the file in question.

    LSE LinOTP Smart Virtual Appliance

    Customers who use the LinOTP SVA with automatic updates enabled will automatically obtain the new package when updates are applied according to their system configuration.

    It is possible to start the update process from the command line by executing the command "appliance-update.sh".

    Please note: appliance-update.sh will download and apply all pending operating system updates. If your system has not been updated for some time, this may result in a lengthy download and installation process.

    more ...
    Date

    LSE LinOTP 2.7.2 released

    On May 11th we released LinOTP 2.7.2 to the repositories.

    LSE LinOTP 2.7.2

    LSE Leading Security Experts GmbH is announcing the availability of the new release of LSE LinOTP (2.7.2)

    You will find the complete Changelogs and the most important changes in LinOTP 2.7.1 at the end of this newsletter. We hereby want to mention some highlights in 2.7.2.

    LinOTP 2.7.2

    LinOTP 2.7.2 includes some interesting new features as well as improvements in usability and bug fixes. This is only a selection, please refer to the full Changelog below.

    Download

    LinOTP 2.7.2 is available in our repositories on linotp.org and for customers running LinOTP on the LSE LinOTP Smart Virtual Appliance using the integrated upgrade mechanisms.

    We are happy to answer your questions about this release: sales@lsexperts.de.

    Changelogs:

    LinOTP 2.7.2
    Enhancements:
    Bug fixes:
    more ...
    Date

    LSE Smart Virtual Appliance 1.2 and LinOTP 2.7.1 released

    On January 15th we released LinOTP 2.7.1 to the repositories.

    LSE Smart Virtual Appliance 1.2 and LinOTP 2.7.1

    LSE Leading Security Experts GmbH is proud to announce the general availability (GA) of the following new product releases:
    (1) LSE LinOTP Smart Virtual Appliance 1.2
    (2) LSE LinOTP 2.7.1.

    We are happy to provide LinOTP 2.7 from now also to our customers running LSE LinOTP Smart Virtual Appliances.

    You will find the entire changelogs below. Here we want to mention some highlights:

    LinOTP 2.7.1

    LinOTP received many improvements in usability and the work flow. This is only a selection of improvements, please also refer to the full Changelog below.

    Highlights for customers upgrading from LinOTP EE 2.6.1.1:

    Preview

    We are already working on the next releases and want to give a small peak on what is coming.

    LSE LinOTP Smart Virtual Appliance 1.2

    The LSE Smart Virtual Appliance (SVA) received big improvements in the installation process, usability and the backend.

    The Configuration Management was improved to make changes more visible and improve the usability. There is now a clear indication of changes needed to be saved and activated. An info bar appears and the 'Configuration Management' Tab is highlighted until the changes are saved and activated.

    The WebUI of the LSE LinOTP SVA is now fully translatable and available in German. The language will be chosen based on you browsers language.

    The installation wizard saw substantial improvements. More settings are preset from the installed system and more of the input is checked for errors. The activation step of the wizard was completely rewritten and is now faster and more robust.

    There are many improvements in the WebUI which stem from customer input to improve the workflow of administration and management of the SVA.

    LinOTP 2.7.1 is available in our repositories on linotp.org and for customers running LinOTP on the LSE LinOTP Smart Virtual Appliance using the integrated upgrade mechanisms. If you have any question regarding the new releases, we are happy to answer and support your inquiries.

    Changelogs:

    LinOTP 2.7.1
    Enhancements:
    Bug Fixes:

    LSE Smart Virtual Appliance 1.2

    more ...
    Date

    LinOTP 2.7.0.2 released

    On August 8th we released LinOTP 2.7.0.2 to the repositories on linotp.org, launchpad and PyPI.

    This is a patch release with improvments in handling Oracle databases and a memory leak in the audit exports for very large audit databases.

    more ...
    Date

    LinOTP by LSE is now available with all features as Open Source

    Press Release

    Benowa, Queensland, Australia/ Weiterstadt, Germany 2014-05-21

    LSE LinOTP - a vendor-independent product for two-factor authentication and one-time password methods (OTP) - will be made available by LSE, Leading Security Experts GmbH, as an open source solution with all current features included.

    At the annual AusCERT Information Security Conference in Australia, and in conjunction with a Red Hat tutorial about the internal deployment of LSE LinOTP Enterprise Edition, LSE Leading Security Experts GmbH (LSE) [http://www.lsexperts.de], a member of the MAX21 Group (MAX21 Management- und Beteiligungen AG) [MA1, http://www.max21.de], will announce the expansion of its open source strategy.

    The currently-separate community edition [http://www.linotp.org] and commercially-marketed enterprise edition [http://www.lsexperts.de] will be merged. LSE will provide LinOTP free of charge as an open source software solution licensed under the AGPLv3 and GPLv2. The complete feature set will be available for download when LinOTP 2.7 is released in the second half of May 2014.

    Quoting Sven Walther, CEO and CTO of LSE Leading Security Experts GmbH, "With this step we open the source of a professionally-maintained and scalable product for enterprise-grade sign-in security. Through such licensing and marketing, we expect LinOTP to advance the distribution to the most frequently installed sign-in security solution for two-factor authentication and OTP methods worldwide. We see a global demand for LinOTP. The solution is highly flexible and scalable. LinOTP appeals to a wide range of users and is suited for nearly every enterprise - be it TAN generation for online banking, high-availability deployment in enterprise environments with many dependent users, or secure one-time password sign-in at smaller companies, to name just a few popular use cases."

    LSE Leading Security Experts GmbH will complement the LinOTP software solution with matching LinOTP support and subscription services as well as professional service offerings. These will include extended levels of quality assurance for updates and patches, the availability of LSE LinOTP Smart Virtual Appliance as a fully-integrated turn-key solution, prioritized hotfixes by our development team, and advisory services on top of the usual standard support and consulting services.

    With this recent open source offering, customers now have the option to pick the solution that best suits their usage scenario. This encompasses both deployments that are fully-featured yet completely free-of-charge, as well as business-critical deployments with all their requirements on support and quality-assurance processes, including a firm commitment by LSE to the continuous development of its solution. To enable this, LSE will further expand its technical and human resources in this area.

    About LSE Leading Security Experts GmbH

    LSE Leading Security Experts GmbH is the leading vendor of secure connection technologies centered around vendor independent logon security and identity management and specialises in information and IT security for companies. To LSE’s core competences, the development of security products, count in addition to others the provision of consulting-services concerning logon security, vulnerability analysis & penetration tests, encryption technology, storage and virtualization security also IT-Risk-Management.

    LSE belongs to the MAX21 Group.

    For further information please refer to: http://www.lsexperts.de

    Press Contact:

    LSE Leading Security Experts GmbH
    Sven Walther
    Postfach 10 01 21
    64201 Darmstadt
    Germany
    Telefon: +49 6151 86086-0
    Fax: +49 6151 86086-299
    E-Mail: presse@lsexperts.de
    Web: http://www.lsexperts.de

    Red Hat is the trademark of Red Hat, Inc., registered in the U.S. and other countries.

    more ...
    Date