linotp.tokens.passwordtoken module

This file containes PasswordTokenClass

class linotp.tokens.passwordtoken.PasswordTokenClass(aToken)

Bases: HmacTokenClass

This Token does use a static Password as the OTP value. In addition, the OTP PIN can be used with this token. This Token can be used for a scenario like losttoken

checkOtp(anOtpVal, counter, window, options=None)

checks the static password - using the secret object password comparison method

  • anOtpVal – the password to be compared

  • counter

    • not used for the password token -

  • window

    • not used for the password token -

  • options

    • not used for the password token -


counter, which is 0 for success and -1 for failure

check_otp_exist(otp, window=10, user=None, autoassign=False)

checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.

  • otp (string) – the to be verified otp value

  • window (int) – the lookahead window for the counter


counter or -1 if otp does not exist

Return type:


classmethod getClassInfo(key=None, ret='all')

getClassInfo - returns a subtree of the token definition

  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found


subsection if key exists or user defined

Return type:


classmethod getClassPrefix()
classmethod getClassType()

getClassType - return the token type shortname



Return type:


setOtpKey(otpKey, reset_failcount=True)

the seed / secret for the password token contains the unix hashed (hmac256) format of the password. the iv is used as indicator that we are using the new format, which is the ‘:1:’ indicator

  • otpKey – the token seed / secret

  • reset_failcount – boolean, if the failcounter should be reseted


update - the api, which is called during the token enrollment

we have to make sure that the otpkey, which carries our password is encoded as utf-8 to not break the storing


otpkey contains the password and is required therefore otherewise raises ParameterError


Accepts every seed because password token has no restrictions. This overrides the hmactoken’s seed validation (only hex).


seed – a string that should be checked for

validity as a seed (aka otpkey)