On January 15th we released LinOTP 2.10 to the repositories.

LinOTP 2.10

KeyIdentity GmbH is pleased to announce the availability of the following product release:

LinOTP 2.10 introduces many improvements, new features, cleanups and bug fixes. The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter.

The list below provides details of the most important changes. Please also refer to the complete changelog at the end of this newsletter


  • New Feature: Voice Token

LinOTP 2.10 is the first release to include support for Voice Tokens. Thus, in addition to the already known challenge response token (e.g. KeyIdentity's Push Token, SMS Token), provides another barrier-free possibility to deliver OTP to users.

Currently Twilio is supported as Voice Token Provider. The Voice Token requies a dedicated Voice Challenge Service which is made available to customers by KeyIdentity GmbH. Documentation for the Voice Token can be found here: Voice Token.

Details about the Voice Challenge Service can be obtained from

  • New Feature: Securing the Selfservice Portal with MFA

The Selfservice Portal can be additionally protected with MFA. This is particularly useful for environments where the Selfservice Portal stands exposed to the Internet. The MFA feature is configureable and allows the retention of existing workflows with addtional security.

Details can be found here: MFA Selfservice Portal .

  • Improvements: KeyIdentity Push Token

LinOTP 2.10 improves the functionality of KeyIdentity's Push Token. A dedicated Challenge Service is introduced. This service allows the separation of the external communication with the user's mobile and the sensitive data stored in LinOTP. The updated KeyIdentity Authenticator Apps for iOS and Android can now actively query existing challenges of the user. Thus makes transaction validation more reliable. The Challenge Service and comprehensive documentation are provided by the KeyIdentity GmbH and can be obtained from

  • Token Validity

Number of uses and the expiry date of tokens can be limited. Starting with LinOTP 2.10 these limits can be configured conveniently via WEB GUI (token management) - e.g. by the help desk personnel. This is useful, for example, to enroll temporary tokens for visitors. More information can be found here: Token Validity.


LinOTP 2.10 is available as Debian and RPM packages from Ubuntu packages are available from our PPA on Launchpad. Users of the KeyIdentity LinOTP Smart Virtual Appliance will receive LinOTP 2.10 via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at

The KeyIdentity LinOTP team

KeyIdentity GmbH
Robert-Koch-Stra├če 9, 64331 Weiterstadt

Sales Hotline: +49 6151 86086-277, Fax: -299
Registered Office: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Board of Directors: Nils Manegold, Dr. Amir Alsbih

Changelog LinOTP 2.10

Token Changes:
  • Introduce new token: Voice Token
  • Enhance Push Token (incompatible with previous Push Token version)
Server Changes:
  • Adjust default transactionId length to 17
  • Implement explicit-deny for push token
  • Add token type specific enrollment limits
  • Support loading provider via configuartion in linotp.ini
  • Enable new policy engine by default
  • Moved tokens to new location in src tree
  • Support shorter lost token duration (days, hours, and minutes added)
  • Autoassign a token if a request arrives with only username (without password)
  • Document the otppin policy 3 (ignore_pin) in the policy UI
  • Removed IE compatibility mode from templates
  • Take the already stored mobile number of a token owner (available from UserIdResolver) if it exists, otherwise take the number stored in the token info
  • Autoassignment without password
  • OATH csv import with sha256 + sha512
Web UI Changes:
  • Add Auth Demo pages for challenge-response and push token
  • /auth/challenge-response
  • /auth/pushtoken
  • Add expiration dialog for tokens
  • Refactor dialog button icon generation
  • Performance improvement by removing mouseover effects on Manage-UI
  • Extract custom form validators into separate files
  • Removed IE compatibility mode from templates
  • Update favicon to follow company rename
  • Add UI in manage and Selfservice for "static password" token
  • Improved Selfservice login with MFA support
Bug Fixes:
  • Server: Fix evaluation of forward policy to match most specific user definition
  • Server: Fix password comparison of password token
  • Server: Adjust location of token makos for translation
  • Server: Fix typo in getUserFromRequest in case of basic auth
  • Server: Fix missing 'serial' for audit and policy check in selfservice.enroll
  • Server: Fix for loading active token modules
  • Server: On LDAP test connection always close dialog
  • Server: Fix encoding error that prevented Token View from being displayed in the web interface.
  • Server: Fix challenge validation to check only one request at a time. Prevent (positive) double authentication with the same transaction ID and OTP.
    This used to happen when a user submitted the OTP for a transaction ID more than once within a very short timeframe
  • Server: Fix for missing LDAP uft-8 conversion
  • Server: Fix default hash algorithm. This was causing issues in the YubiKey import
  • Server: Fix wrong audit log entries where "failcounter exceeded" was incorrectly being replaced with "no token found"
  • Server: Fix QRToken to use the tan length defined at enrollment
  • Server: Fix password and lost token password comparison
  • Server: Fix to show deactivated policies in Manage UI again.
  • Server: Fix for better user/owner comparison
  • Server: Fix to show inactive policies
  • Server: Fix import of policies with empty realm
  • Server: Verify that only active policies are used
  • Server: Fix for policy export to export inactive too
  • Server: Fix for target realm handling on token import
  • Server: Fix select only active policies for admin policies
  • Server: Fix getResolverClassName
  • Web UI: Fix UI crash check if backend response is array in ldap testconnection
  • Selfservice: Fix QR token enrollment and activation