Deactivate automatic resynchronization

The hotfix is available in our repositories for the following versions of the current version of LinOTP 2.10.5.x (2.10.5.2). You will get the fix automatically with the next system upgrade.

If updating the entire system and applying the available patch is not an option in your environment, you can do the following: Disable the autoresync function for the tokens.

Disable the autoresync function

  1. Open the LinOTP management with https://<linotp-server-ip>/manage
  2. Navigate to 'LinOTP Config' in the menu and select 'System Config' there
  3. In the line 'Auto resync' remove the check mark
  4. 'Save Config' to apply the configuration

This reliably prevents the possible attack by reusing OTP. As long as the function is not activated again, your system remains secure. We recommend applying the patch provided anyway. The best solution is to update to the current LinOTP >= 2.10.5.3