4. Supported tokens¶
4.1. Tokens¶
4.1.1. Hardware Tokens¶
LinOTP supports a broad range of different tokens from different vendors.
HOTP compatible
Supports any kind of RFC 4226 compliant tokens. LinOTP can import OATH-compliant key files according to RFC 6030. Additionally it can import SafeNet eToken PASS XML files and Feitian XML files. Furthermore the key can be entered manually during enrollment. Thus LinOTP supports:
SafeNet eToken PASS
Feitian C100
Authenex A-Key V3.6
Safeword Alpine
Validustech BC-30, CR-1, PB-1
Many different kinds of mobile Apps. See section Recommended Mobile Apps.
HMAC-SHA256 and HMAC-SHA512
Supports HMAC-SHA256. Other than RFC 4226 which is based on HMAC-SHA1 LinOTP also supports HMAC-SHA256 and HMAC-SHA512. This is used e.g. with newer SafeNet eToken PASS tokens.
TOTP compatible
Supports any kind of TOTP compliant tokens. LinOTP can import OATH-compliant key files according to RFC 6030. Furthermore the key can be entered manually during enrollment. Thus LinOTP supports:
SafeNet eToken PASS time based
Feitian C200
Validustech BC-30, CR-1, PB-1
Yubico YubiKey
Supports the YubiKey I, YubiKey II and YubiKey NANO in OATH mode. LinOTP can generate the HMAC key on the YubiKey.
Also supports the YubiKeys as shipped by Yubico with the original Algorithm, creating the 44 character long password. The authentication is then forwarded to the Yubico cloud authentication API. Details can be found here: Enroll YubiKeys.
SafeNet eToken NG-OTP
Supports the eToken NG-OTP. LinOTP can generate the HMAC key on the eToken NG-OTP.
Vasco
Supports DigiPass Tokens in RO (Response Only) mode like GO1, DP300, GO3, GO6.
4.1.2. Soft Tokens¶
LinOTP support all kinds of standardized soft tokens.
HOTP
Event based tokens which can be used in conjunction with compatible APPs (like the Google Authenticator or FreeOTP). Details can be found here: Enroll HOTP, TOTP and OCRA Tokens
TOTP
Event based tokens which can be used in conjunction with compatible APPs (like the Google Authenticator or FreeOTP). Details can be found here: Enroll HOTP, TOTP and OCRA Tokens
mOTP
Supports mOTP. LinOTP supports the motp1 Algorithm. The mOTP key can be entered during enrollment. For recommended apps see section A. Details can be found at Enroll mOTP Token
4.1.3. Tokens for login and transaction security (challenge response)¶
4.1.3.1. KeyIdentity QR Token¶
The KeyIdentity QR Token has been introduced with LinOTP 2.9. It requires the KeyIdentity APP (available for Android and iOS). The token can be used for authentication as well as for securing transactions and features an optional offline mode.
How it works
The login program displays a QR code which is scanned with the KeyIdentity Authenticator APP on the user’s mobile phone. If the mobile is connected to the internet the user just confirms the login (or transaction) with a finger tip at the phone and the login (or transaction) is performed. This is very convient for the user because no further interaction is required like to enter an OTP somewhere. The mobile contacts the LinOTP server and the LinOTP server in turn communicates with the login program to approve the login. If the phone is offline an OTP is generated and displayed by the APP instead which is to be manually entered in the login screen. If the offline mode is configured the login program can be offline (e.g. desktop login during a flight) and still validate the OTP the user enters manually for the login.
The KeyIdentity QR Token is fully supported by the KeyIdentity Authentication Provider (KAP).
Configuration details of the KeyIdentity QR Token can be found here: Setup KeyIdentity QR Token
Note
Login procedures - like the KeyIdentity Authentication Provider - need to have built-in support for the QR Token in order to use this type of token.
4.1.3.2. KeyIdentity Push Token¶
The KeyIdentity Push Token v2 has been introduced with LinOTP 2.10. It requires the KeyIdentity APP (available for Android and iOS). The token can be used for both authentication and transaction protection.
How it works
Compared to the KeyIdentity QR Token the Push Token does not require the user to scan a QR code to approve a login (or transaction). Instead the login request is pushed to the mobile of the user via a Push Token Provider. The details of the login (or transaction) are displayed in the APP and the user confirms the action.
The KeyIdentity Push Token requires the user’s mobile and the login procedure to be online. The dedicated Challenge Service must be accessible by the user’s mobile.
The KeyIdentity Push Token is fully supported by the KeyIdentity Authentication Provider (KAP).
Configuration details (required policies and the setup of the Challenge Service and Push Token Provider) for the KeyIdentity Push Token can be found here: KeyIdentity Push Token Policies, Push Provider for KeyIdentity Push Token.
Note
The use of the Challenge Service is permitted by a corresponding support contract. Please contact support@keyidentity.com for help and documentation. KeyIdentity GmbH provides the required infrastructure for the Push Token for their customers.
4.1.4. Challenge Response Tokens¶
SMS Token
Supports SMS Token. LinOTP can enroll SMS Token, which will send OTP values via SMS to the given cell phone number of the assigned user. Details can be found here: Enroll SMS OTP / Mobile TAN and SMS Provider for SMS OTP Tokens / Mobile TANs.
E-Mail Token
This token is used in challenge/response mode. This means that the user triggers LinOTP to send an e-mail (challenge) containing the OTP and then replies with that OTP (response). The e-mail address where the OTP is sent can be configured when assigning the token to the user. Details can be found here: Enroll E-Mail Token and E-mail Provider for E-mail Token.
Voice Token
This token supports the transmission of the OTP via a phone call. So the user triggers the challenge and shortly after a call is made to the user’s phone and the OTP is read. Details can be found here: Enroll Voice Token.
Note
The use of the Voice Challenge Service is permitted by a corresponding support contract. Please contact support@keyidentity.com for help and documentation. KeyIdentity GmbH provides the required infrastructure for the Push Token for their customers.
4.1.5. Special Tokens¶
Remote Token
Supports Remote Token, which forwards OTP requests to other LinOTP servers, either based on user assignment or simply based on the token serial number, thus enabling complex distributed setups. Details can be found here: Enroll Remote Token.
Forwarding Token
Similar to “Remote Token” but less complex. Points to another token on the same LinOTP server via token serial. Details can be found here: Enroll Forwarding Token.
RADIUS Token
Supports RADIUS Token, which forwards the authentication request of username and password/OTP to any given RADIUS server, thus enabling smooth migration scenarios. Details can be found here: Enroll RADIUS Token.
Static Password Token
Supports the Static Password Token, which is a fixed password token without any moving factor. Details can be found here: Enroll Static Password Token.
Simple Pass
Supports the Simple Pass Token, which is an empty password token without any moving factor. Details can be found here: Enroll KeyIdentity Simple Pass Token.
Day OTP / Tagespasswort
Supports Tagespasswort Tokens. LinOTP can import key files or enroll Tagespasswort Tokens, which will changes their value once a day and thus enable the usage of OTP in Applications that do not provide any external authentication interface like e.g. RADIUS.
4.2. Recommended Mobile Apps¶
There are many different Apps that implement the HOTP and the mOTP algorithm and that can be used with LinOTP. But many of them are not very comfortable to enroll.
4.2.1. Recommended HOTP Apps¶
4.2.1.1. Apps for the iPhone¶
Other Apps can be used, but the secret often needs to be registered manually and typed into the Selfservice Portal.
FreeOTP
Pro: Supports several different accounts / tokens.
Pro: The secret can not be displayed within the app.
Pro: Very easy enrollment by scanning the QR code in the LinOTP selfservice portal from within the app.
Pro: Very fast builtin barcode scanner.
Pro: Open source.
Cons: The token can not be password protected in the app.
Google Authenticator
Pro: Supports several different accounts / tokens.
Pro: The secret can not be displayed within the app.
Pro: Very easy enrollment by scanning the QR code in the LinOTP Selfservice Portal from within the app.
Cons: The token can not be password protected in the app.
HDE OTP
Pro: Supports several different accounts / tokens.
Pro: Using lockdown mode the secret can not be displayed within the app.
Pro: Rather easy enrollment by scanning the QR code.
Cons: But the code needs to be scanned with an external app like “Red Laser”. The scanned link then needs to be deleted manually.
Cons: The token can not be password protected in the app.
DS3 Token
Pro: Token can be password protected within the app.
Pro: The secret can not be displayed within the app.
Pro: Very easy enrollment by scanning the Google Authenticator enrollment QR Code.
Pro: The app can be locked using a password.
Cons: The app only supports TOTP tokens, no HOTP tokens.
4.2.1.2. Apps for Android¶
FreeOTP
Pro: Supports several different accounts / tokens.
Pro: The secret can not be displayed within the app.
Pro: Very easy enrollment by scanning the QR code in the LinOTP selfservice portal from within the app.
Pro: Very fast builtin barcode scanner.
Pro: Open source.
Cons: The token can not be password protected in the app.
Google Authenticator
Pro: Supports several different accounts / tokens.
Pro: The secret can not be displayed within the app.
Pro: Very easy enrollment by scanning the QR code in the LinOTP selfservice portal from within the app.
Cons: The token can not be password protected in the app.
4.2.1.3. Apps for the Windows Phone¶
Token2 OTP
Pro: Supports additional PIN protection for TOTP profiles.
Pro: Supports Classic MOTP.
Pro: Supports MOTP with QR based enrollment.
Microsoft Windows Authenticator
4.2.2. Recommended mOTP Apps¶
4.2.2.1. Apps for iPhone¶
iOTP
Pro: Supports several different accounts / tokens.
Pro: The secret can not be displayed within the app after enrollment.
Pro: Can send automatic support-request email to administrator.
Cons: The secret needs to be entered in the LinOTP Selfservice Portal manually.
Asion mobile OTP
Pro: The secret can not be displayed within the app after enrollment.
Cons: Only supports one account / token.
Cons: The secret needs to be entered in the LinOTP Selfservice Portal manually.
4.2.2.2. Apps for Android¶
DroidOTP
Pro: Supports several different accounts / token.
Pro: The secret can not be displayed after enrollment.
Cons: The secret needs to be entered in the LinOTP Selfservice Portal manually.
4.2.2.3. Apps for Windows Phone¶
Token2 OTP
Pro: Supports additional PIN protection for TOTP profiles.
Pro: Supports Classic MOTP
Pro: Supports MOTP with QR based enrollment
Yamotp
Pro: Supports several different accounts / token.