On Nov 27th we released LinOTP 2.8 to the repositories.

LinOTP 2.8

LSE Leading Security Experts GmbH is pleased to announce the availability of the following product release:

LinOTP 2.8 contains full support for the FIDO U2F standard, along with additional new features, usability improvements and bug fixes.

The list below provides details of the most important changes. The complete changelog is provided at the end of this article.


  • New feature: FIDO U2F support
LinOTP 2.8 now fully supports the FIDO alliance U2F protocol. It is now possible to use user friendly U2F tokens provided by various manufacturers in order to implement the second authentication factor. By using public key techniques, It is now possible to use just one token to access multiple authentication systems. In addition, it is possible to implement Bring Your Own Token (BYOT) scenarios.
  • New feature: User enrollment of FIDO U2F, email and SMS tokens via the self service portal
In order to simplify the rollout process, it is now possible to allow users to use the self service portal to enroll new token types (FIDO U2F, email and SMS) in addition to those previously available. As with other token types, access to these new types is under the control of the LinOTP administrator via the policy system.
  • New feature: Temporary email and SMS token
If a token is lost or stolen, it is now possible to define a temporary email or SMS token instead of a temporary password.
  • New feature: More than one challenge response token per user with identical token PIN
The API in LinOTP 2.8 supports generation of more than one challenge for various tokens and token types. This now makes it possible to use different challenge response tokens with the same token PIN. It is also possible to use different challenge response token types with identical token PINs.
  • Improvements and bug fixes

In addition to these features, LinOTP 2.8 includes many further improvements and bug fixes in order to improve the user experience.


LinOTP 2.8 is available as a Debian package from Ubuntu packages are available from our PPA on Launchpad. It can also be obtained via the Python Package Index (PyPI). Users of the LSE LinOTP Smart Virtual Appliance will receive LinOTP 2.8 via the integrated update mechanism.

The LSE team would be pleased to answer any questions you may have about LinOTP 2.8 and assist upgrading your environment to the latest release at

The LSE LinOTP team

LSE Leading Security Experts GmbH
Robert-Koch-Stra├če 9, 64331 Weiterstadt

Sales Hotline: +49 6151 86086-277, Fax: -299
Board of Directors: Nils Manegold, Oliver Michel, Arved Graf von Stackelberg, Sven Walther




  • Server: Add FIDO U2F support
  • Selfservice: Enroll FIDO U2F, e-mail and SMS tokens
  • Server: Losttoken: Support enrollment of e-mail and SMS tokens
  • Server: Trigger challenges for multiple challenge-response tokens with one request
  • Server: Support autoassignment policy without action value

Bug fixes:

  • Selfservice: Fix getSerialByOtp functionality for yubikey tokens
  • Server: Fix importing yubikey tokens without prefix
  • Server: Fix autoassignment with remote token pointing at yubikey token
  • Server: Fix autoassignment using tokens with different OTP lengths
  • Server: Prevent counter increments of inactive tokens
  • Server: Don't return counter parameter on TOTP enrollment
  • Selfservice: Fix occasional login problems using non-ASCII characters
  • Server: Fix occasional problems sorting userlist with unicode characters
  • Server: Fix usage of otppin policy for remotetoken with local pincheck
  • Server: Don't return error messages on unconfigured autoenrollment
  • Server: Always set OTP length in remote token enrollment
  • Server: Don't return error messages for policy otppin=1 and unassigned tokens
  • Server: Reply to OCRA2 challenge providing only transactionid and OTP
  • WebUI: Don't show dialog asking for realm creation if no useridresolver is configured
  • WebUI: Fix WebUI for recent Internet Explorer versions
  • WebUI: Clear key and PIN input fields after token enrollment
  • Tools: linotp-create-pwidresolver-user: Fix duplicate and ignored command-line arguments
  • Tools: Correctly package linotp-enroll-smstoken tool
  • Tools: Use Digest instead of Basic Authentication in linotp-enroll-smstoken
  • Tools: Display an error message in linotp-enroll-smstoken when dependencies are missing
  • Tools: Fix linotp-sql-janitor crash when executed without --export option
  • Server: Fix for wildcard search with available unassigned tokens
  • Server: Fix LinOTP on pylons 0.9.7
  • Packaging: Remove nose dependency from linotp install process


  • Add support for Unicode passwords in PasswdIdResolver
  • Add LDAP proxy support
  • Support for LDAP cursoring during fetch of userlist
  • Add support for odbc_connect in SQLIdResolver


  • Encode spaces in request params as '%20', not as '+'
  • Fix GET requests using the requests library
  • Add ability to convert the phone number to MSISDN format