5. Supported tokens¶
LinOTP supports a broad range of different tokens from different vendors.
HOTP
Supports any kind of RFC 4226 compliant tokens. LinOTP can import OATH-compliant key files according to RFC 6030. Additionally it can import SafeNet eToken PASS XML files and Feitian XML files. Furthermore the key can be entered manually during enrollment. Thus LinOTP supports:
- SafeNet eToken PASS
- Feitian C100
- Authenex A-Key V3.6
- Safeword Alpine
- Validustech BC-30, CR-1, PB-1
- Many different kinds of mobile Apps. See section Recommended Mobile Apps.
HMAC-SHA256
Supports HMAC-SHA256. Other than RFC 4226 which is based on HMAC-SHA1 LinOTP also supports HMAC-SHA256. This is used e.g. with newer SafeNet eToken PASS tokens.
TOTP
Supports any kind of TOTP compliant tokens. LinOTP can import OATH-compliant key files according to RFC 6030. Furthermore the key can be entered manually during enrollment. Thus LinOTP supports:
- SafeNet eToken PASS timebased
- Feitian C200
- Validustech BC-30, CR-1, PB-1
SafeNet eToken NG-OTP
Supports the eToken NG-OTP. LinOTP can generate the HMAC key on the eToken NG-OTP.
Yubico Yubikey
Supports the Yubikey I, Yubikey II and Yubikey NANO in OATH mode. LinOTP can generate the HMAC key on the Yubikey.
Also supports the Yubikeys as shipped by Yubico with the originial Algorithm, creating the 44 character long password. The authentication is then forwarded to the Yubico cloud authentication API.
Vasco
Supports DigiPass Tokens in RO (Response Only) mode like GO1, DP300, GO3, GO6.
mOTP
Supports mOTP. LinOTP supports the motp1 Algorithm. The mOTP key can be entered during enrollment. For recommended apps see section A.
Simple Pass
Supports the Simple Pass Token, which is a fixed password token without any moving factor.
Remote Token
Supports Remote Token, which forwards OTP requests to other LinOTP servers, either based on user assignment or simply based on the token serial number, thus enabling complex distributed setups.
RADIUS Token
Supports RADIUS Token, which forwards the authentication request of username and password/OTP to any given RADIUS server, thus enabling smooth migration scenarios.
SMS OTP
Supports SMS Token. LinOTP can enroll SMS Token, which will send OTP values via SMS to the given cell phone number of the assigned user.
Day OTP / Tagespasswort
Supports Tagespasswort Tokens. LinOTP can import key files or enroll Tagespasswort Tokens, which will changes their value once a day and thus enable the usage of OTP in Applications that do not provide any external authentication interface like e.g. RADIUS.
E-Mail Token
This token is used in challenge/response mode. This means that the user triggers LinOTP to send an e-mail (challenge) containing the OTP and then replies with that OTP (response). The e-mail address where the OTP is sent can be configured when assigning the token to the user.
5.1. Recommended Mobile Apps¶
There are many different Apps that implement the HOTP and the motp algorithm and that can be used with LinOTP. But many of them are not very comfortable to enroll.
5.1.1. Recommended HOTP Apps¶
5.1.1.1. Apps for the iPhone¶
Other Apps can be used, but the secret often needs to be registered manually and typed into the selfservice portal.
HDE OTP
- Pro: Supports several different accounts / tokens.
- Pro: The secret can not be displayed within the app.
- Pro: Very easy enrollment by scanning the Google Authenticator enrollment QR Code.
- Pro: The app can be locked using a password.
- Cons: The app only supports TOTP tokens, no HOTP tokens.
Google Authenticator
- Pro: Supports several different accounts / tokens.
- Pro: The secret can not be displayed within the app.
- Pro: Very easy enrollment by scanning the QR code in the LinOTP selfservice portal from within the app.
- Cons: The token can not be password protected in the app.
OATH Token
- Pro: Supports several different accounts / tokens.
- Pro: Using lockdown mode the secret can not be displayed within the app.
- Pro: Rather easy enrollment by scanning the QR code.
- Cons: But the code needs to be scanned with an external app like “Red Laser”. The scanned link then needs to be deleted manually.
- Cons: The token can not be password protected in the app.
DS3 Token
- Pro: Token can be password protected within the app.
- Pro: The secret can not be displayed within the app.
- Cons: Difficult enrollment since the secret needs to be entered in the LinOTP selfservice portal manually.
- Cons: Does only support one account / token.
5.1.1.2. Apps for Android¶
Google Authenticator
- Pro: Supports several different accounts / tokens.
- Pro: The secret can not be displayed within the app.
- Pro: Very easy enrollment by scanning the QR code in the LinOTP selfservice portal from within the app.
- Cons: The token can not be password protected in the app.
Androidtoken
- Pro: Supports several different accounts / tokens.
- Pro: The secret can not be displayed within the app.
- Pro: Very easy enrollment by scanning the QR code in the LinOTP selfservice portal from within the app. This token uses the Google Authenticator URLs.
- Pro: The token can be password protected in the app.
5.1.2. Recommended mOTP Apps¶
5.1.2.1. Apps for iPhone¶
iOTP
- Pro: Supports several different accounts / tokens.
- Pro: The secret can not be displayed within the app after enrollment.
- Pro: Can send automatic support-request email to administrator.
- Cons: The secret needs to be entered in the LinOTP selfservice portal manually.
Asion mobile OTP
- Pro: The secret can not be displayed within the app after enrollment.
- Cons: Only supports one account / token.
- Cons: The secret needs to be entered in the LinOTP selfservice portal manually.
5.1.2.2. Apps for Android¶
DroidOTP
- Pro: Supports several different accounts / token.
- Pro: The secret can not be displayed after enrollment.
- Cons: The secret needs to be entered in the LinOTP selfservice portal manually.