MultiOTP

multiOTP

Developer(s)	SysCo systèmes de communication sa
Initial release	7 June 2010 (2010-06-07)
Stable release	4.2.4.2 / 13 April 2014 (2014-04-13)
Development status	Active
Written in	PHP
Operating system	Linux, Microsoft Windows
Platform	IA-32, x86-64, ARM
Type	OTP Authentication server
License	LGPL
Website	www.multiotp.net

multiOTP is an open source PHP class, a command line tool and a web interface that can be used to provide an operating system independent strong authentication system. multiOTP is OATH certified since version 4.1.0 and is developed under the LGPL license.

Overview

Spyware, viruses and other hacking technologies or bugs (like Heartbleed) are regularly used to obtain stolen passwords typed by the user. If a strong two factor authentication system is used, the stolen passwords cannot be stored and later used because each password (called OTP for One Time Passwords) is only valid for one authentication session and will fail if used a second time.

multiOTP is a PHP class library. The class can be used with any PHP application using a PHP version of 5.3.0 or higher. The multiOTP library is provided as an all-in-one self-contained file that requires no other includes. If the strong authentication needs to be done from a hardware device instead of an Internet application, a request will go through a RADIUS server which will call the multiOTP command line tool. The implementation is light enough in order to work on limited computers, such as the Raspberry Pi.

History

Version 1.0.0 of the 7. June 2010 was only a basic command line tool called otpauth, already written PHP. The tool has been renamed to multiotp in version 1.1.4 some days later in order to avoid confusion with another project with the same name.
Version 2.0.0 of 19. July 2010 has been completely rewritten as a PHP class, and the command line tool became an implementation of the class. Under Windows operating systems, the command line tool exists as an executable file including in one file the source code and the PHP interpreter. This version received the phpclasses.org Innovation Award in August 2010.^[1]
Version 3.0.0 of 2. September 2010 allowed PSKC unencoded provisioning files import and the internal structure had been improved.
Version 3.1.1 of 19. December 2010 allowed data storage in a MySQL backend database.
Version 3.2.0 of 6. July 2011 allowed to authenticate with a generic account and by passing the specific user and the password in the password field (useful if the library is used with a Windows authentication which needs a specific user).
Version 3.9.2 of 25. October 2011 is the version that was released for the workshop about integrating strong authentication in Internet applications. This workshop was presented during the Application Security Forum - Western Switzerland 2011 in Yverdon-les-Bains (Switzerland).^[2] The library has also been used to validate and distribute^[3] the seed of the tokens given by Feitian, the sponsor of the event. Each participant had to give an email address, a mobile phone number, a token serial number and the OTP code displayed on the token, than an encrypted email was sent to the participant and the encryption key was sent by SMS.
Version 4.0.7 of 30. August 2013 added a lot of enhancements, like a client/server feature with a local cache storage of the definition files of the used tokens, a completely new implementation of the MySQL support (including database tables creation and update), CHAP authentication (in addition to PAP authentication), QRcode generation for direct provisioning in Google Authenticator, fast creation of a user in a single command, ...
Version 4.0.9 of 22. September 2013 was an intermediate release that has been used to demonstrate the concept of strong authentication in several forums like a Rump Session during the Application Security Forum - Western Switzerland 2013 in Yverdon-les-Bains (Swizerland)^[4] and 45 minutes talk during the Studerus Technology Forum (TEFO) 2013 in Zürich (Switzerland).^[5]
Version 4.1.0 of 23. December 2013 is OATH certified for HOTP and TOTP, which means full compatibility with certified hardware tokens, including encrypted PSKC provisioning files. It's beta version has been used for a 30 minutes talk during the PasswordsCon 2013 in Bergen (Norway).^[6] Instructions and all necessary files to build a strong authentication server device on a Raspberry Pi nano-computer are included. Self-registration of unattributed hardware tokens and automatic resync/unlock during authentication have also been added, and a basic web interface is now also available.
Version 4.1.1 of 20. January 2014 provided some bug fixes and a better support of Microsoft Authenticator. Resyncing a token (using two consecutive OTP) didn't need the PIN code anymore.
Version 4.2.0 of 7. February 2014 supported MS-CHAP and MS-CHAPv2 protocols.
Version 4.2.1 of 14. February 2014 added Active Directory / LDAP support in order to create accounts based on users present in a particular group.
Version 4.2.2 of 3. March 2014 provided an enhanced web interface in order to import hardware tokens, create accounts, synchronize tokens or unlock accounts. An extended support of TekRADIUS was added in order to send back some particular informations, which is useful for MS-CHAP or MS-CHAPv2 connections.
Version 4.2.3 of 13. March 2014 fixed a bug with the send back to TekRADIUS
Version 4.2.4 of 30. March 2014 enhanced MySQL backend support and added mysqli support. Since this version, it is also possible to define in configuration file which fields must be encrypted or not. Some external classes have been updated or replaced, and a lot of new QA tests have been added, both for PHP class and command line versions.
Version 4.2.4.1 of 6. April 2014 added NT_KEY support (for FreeRADIUS further handling, like VPN key generation). It is now also possible to import tokens based on a simple CSV file (serial_number;manufacturer;algorithm;seed;digits;interval_or_event). The new option -user-info has also been added, and some bug fixes have been done too.
Version 4.2.4.2 of 13. April 2014 consolidated XML handling with one single library for the whole project. It also fixed a possible bug concerning tokens import based on a simple CSV file.

Features

For Windows, the multiOTP library is provided with a pre-configured RADIUS server (freeradius) which can be installed as a service. A pre-configured web service (based on mongoose) can also be installed as a service and is needed if we want to use the multiOTP library in a client/server configuration. Under Linux, the readme.txt file provided with the library indicates what should be done in order to configure the RADIUS server and the web service. All necessary files and instructions are also provided to make a strong authentication device using a Raspberry Pi nano-computer. The client can strongly authenticate on an application or a device using different methods:

software tokens (like Google Authenticator)
hardware tokens (any OATH/HOTP and OATH/TOTP certified token, like NagraID tokens, and some other non-certified but compatible tokens, like Feitian C200 time based tokens)
code sent per SMS (since version 4.0.4)
scratch passwords list (since version 4.0.4)

Standardization and normalization

multiOTP is OATH certified for HOTP and TOTP and implements the following standards about strong authentication:

HOTP, HMAC-Based One-Time Password Algorithm (RFC4226)
TOTP, Time-Based One-Time Password Algorithm (RFC6238)
mOTP, Mobile-OTP, strong, two-factor authentication with mobile phones

Scope of the class

The multiOTP class provides strong authentication functionalities and can be used in different strong authentication situations:

adding a strong authentication in order to identify a user (to avoid static password)
fixing a hardware token at a specific place, and be sure that somebody was there at a specific time (the token code displayed to the user at the specific time will give information about the time were it was displayed)
authenticating a user by sending him a code through SMS, which will validate automatically the mobile phone number of the user.
creating automatically strong authentication accounts for users present in a specific group of the Active Directory (or LDAP).

Several free projects use the library:

Last Squirrel IT has used the multiOTP class to create a free and open source strong authentication Credential Provider for Windows Login called MultiOneTimePassword Crendential Provider.^[7]
ownCloud OTP^[8] is a One Time Password app based on the multiOTP class that add strong authentication to the OwnCloud project, an open source Dropbox alternative.
2FA Credential Provider for Windows^[9] is another strong authentication Credential Provider for Windows Login using the multiOTP library.
The multiOTP class has been used as a learning tool in security demonstrations^[10] and a Bachelor thesis^[11]

References

↑ "multiOTP PHP class: Authenticate and manage OTP strong user tokens". PHPclasses/Icontem. Retrieved 30 October 2013.
↑ "Application Security Forum - Western Switzerland 2011". Application Security Forum - Western Switzerland. Retrieved 30 October 2013.
↑ "ASF-WS 2011 Feitian token seed request". SysCo systèmes de communication sa. Retrieved 30 October 2013.
↑ "Application Security Forum - Western Switzerland 2013". Application Security Forum - Western Switzerland.
↑ "Studerus Technology Forum - TEFO'13". Studerus.
↑ "Passwords^13". PasswordsCon.
↑ "MultiOneTimePassword Credential Provider". Last Squirrel IT. Retrieved 30 October 2013.
↑ "One Time Password Backend for ownCloud". apps.ownCloud.com Team. Retrieved 30 October 2013.
↑ "2FA Credential Provider for Windows". Fluid Technology Solutions Ltd. Retrieved 30 October 2013.
↑ "Strong Authentication in Web Application - State of the Art 2011". Compass Security AG. Retrieved 30 October 2013.
↑ "One-time passwords Bachelor thesis (in Czech)". University of Economics, Prague. Retrieved 30 October 2013.