multiOTP Pro ============ multiOTP Pro is a strong two-factor authentication device multiOTP Pro is OATH certified for HOTP/TOTP (c) 2010-2025 SysCo systemes de communication sa Current build: (2025-01-20) Table of contents * What's new in this release * Wishlist for future releases * Change Log of released versions WHAT'S NEW IN THIS 5.9.x RELEASE ================================ - New Hyper-V and OVA appliances available (version 011, based on Debian 11) - Enhanced special ISO characters support (included octal encoded) - {MultiotpUserAccount} tag can be used in templates - {MultiotpUserDisplayName} tag (AD/LDAP DisplayName) can be used in templates - New open source on-premises SMS provider support ( RASPBERRY PI DISTRIBUTION ========================= Please note that an optimized Raspberry Pi binary image is available for any multiOTP Enterprise appliance customer. MULTIOTP CREDENTIAL PROVIDER ============================ multiOTP Credential Provider is a compatible open source Credential Provider for Windows 7/8/8.1/10/11/2012(R2)/2016/2019/2022 in 64 bits, with caching support option (for offline connection), RDP only 2FA, and some other options. To download it: CHANGE LOG OF RELEASED VERSIONS =============================== 2025-01-20 FIX: Case sensitive issue has been fixed with MSCHAPv2 authentication (thanks Alexey) ENH: Created users are trimmed to avoid bad space prefix/suffix during copy/paste ENH: multiOTP Credential Provider enhanced support 2025-01-10 FIX: {MultiotpUserDisplayName} tag usage in templates (was not replaced in the QRcode) ENH: New Message-Authenticator requirement support for FortiGate v7.2.10+, v7.4.5+ and v7.6.1+ 2024-08-26 ENH: Spryng SMS provider support ENH: Device with description containing "Fortinet" will send two additional RADIUS attributes (ATTRIBUTE Fortinet-Group-Name 1 string, ATTRIBUTE Fortinet-Access-Profile 6 string) ENH: Device with description containing "ZyXEL" will send one additional RADIUS attribute (ATTRIBUTE User-type 1 string admin/limited-admin/user/guest) 2024-05-03 FIX: without2fa token can be now correctly converted to TOTP with default 30 seconds time interval FIX: Without2fa tokens with prefix pin where not working with CHAP/MSCHAP/MSCHAPv2 2023-11-23 ENH: New Raspberry Pi distribution binary (for Enteprise appliance only) ENH: Upgrade of internal tools INF: This is the last available version for the physical multiOTP Pro 420B device 2023-10-12 FIX: Dashboard new firmware information is available again 2023-09-22 ENH: Without2FA tokens cannot be used for multi_account connection 2023-08-09 FIX: Prefix PIN information was sometimes missing on the provisioning info ENH: New Raspberry Pi distribution binary (for Enteprise appliance only) 2023-07-07 FIX: Better Raspberry Pi support (for Enteprise appliance only) 2023-05-10 FIX: Automated concurrent access for the same user with "Without2FA" token could corrupt the user file FIX: Template updated to display correct information for "Without2FA" tokens FIX: Enhanced backup process, some configuration may be missing in the backup depending the initial firmware version ENH: Template updated to print bigger QRcode for "MOTP-XML" tokens ENH: Adding on-premises smsgateway ( as a new SMS provider ENH: Better warning messages when ADP/LDAP password failed 2023-01-19 FIX: Challenge/response RADIUS was not always working correctly since version 2022-11-11 ENH: It's now possible to define a special AD/LDAP group to attribute "Without2FA" token to specific users 2022-11-04 ENH: Enhanced multiOTP Credential Provider (for Windows) 2022-10-27 ENH: New BeagleBone Black based devices have been upgraded to Debian 11 2022-10-21 FIX: Better special characters support in username and password FIX: Better special characters support for RADIUS secret ENH: The locked accounts list now also list the temporary delayed accounts ENH: Accounts with Without2FA tokens can now also be stored in cache 2022-08-10 ENH: Enhanced Without2FA support, bypassing the 2FA in Credential Provider (for Windows) 2022-06-17 FIX: Scratch list was empty in some cases ENH: Enhanced multiOTP Credential Provider (for Windows) 2022-05-26 FIX: User account containing octal encoded ISO characters are now also converted to UTF FIX: {MultiOtpVersion} is now correctly replaced in scratchtemplate.html ENH: {MultiotpUserDisplayName} tag (AD/LDAP DisplayName) can be used in templates 2022-05-18 FIX: User account containing special ISO characters are now also converted to UTF ENH: New Hyper-V and OVA appliances available (version 011, based on Debian 11) ENH: {MultiotpUserAccount} tag can be used in templates 2022-04-28 ENH: Enhanced log information for refused connection ENH: Code cleaning to support next appliance release 2022-04-14 FIX: Token "Without2FA" where not working all time with LDAP users ENH: Telnyx SMS provider support ENH: AD/LDAP synced user with "Without2FA" token don't need any licence ENH: Email token is now supported for multiOTP Credential Provider (for Windows) ENH: multiOTP Credential Provider: if username doesn't exist, the domain name is shortened step by step 2022-02-10 FIX: Upgrade process issue 2022-01-20 FIX: Device defined with is now supported for multiOTP Credential Provider connection FIX: Better mail server compatibility 2022-01-14 ENH: Enhanced multiOTP Credential Provider support 2021-11-18 ENH: Enhanced multiOTP Credential Provider support 2021-09-14 ENH: New OVA file with full VM distribution ENH: Removed multicast support on the network card 2021-08-19 ENH: Added compatibility with new multiOTP Credential Provider (5.8.2 and further) ENH: Additional log messages 2021-04-08 ENH: eDirectory LDAP server support 2021-03-25 FIX: Cookie privacy (httponly and secure) backported to previous virtual appliances ENH: Weak SSL ciphers disabled 2021-03-21 ENH: Up to 7 days log entries available in the embedded log viewer ENH: Storage free space information on dashboard 2021-03-14 FIX: In some cases, the HOTP/TOTP was not well computed 2021-02-12 FIX: Better unicode handling ENH: Flexible licence support with demo licences 2020-09-20 ENH: New Sync Delete Retention Days option in order to purge inexistent AD/LDAP users (default retention value : 30 days) 2020-08-31 FIX: Clean automatically the log before the last 100 days FIX: Too many ReadConfigData loop during initialization FIX: Backend configuration access optimized FIX: Better unicode handling ENH: Cookies with HTTPOnly and Secure flag ENH: Raspberry Pi 4B support ENH: Smaller size for binary firmware files ENH: Better custom Fortinet / ZyXEL support 2019-10-23 FIX: Configuration storage handling ENH: Generic web based SMS provider support 2019-10-22 ENH: Out of sync detection with specific error message ENH: New 64 bits OVA file with full VM distribution ENH: Enhanced custom SMS providers support 2019-07-17 FIX: Devices submask calculation error 2019-03-25 ENH: Enhanced error messages, more log information ENH: New QRcode library ENH: Added specific vendor device expert setup 2019-01-18 FIX: Update process for previous VM distribution 2019-01-18 FIX: Better IP address change handling ENH: If any, clean specific NTP DHCP option at every reboot 2019-01-07 FIX: Fix some without2FA algorithm issues FIX: Fix some RADIUS challenge/response issues ENH: Additional web based SMS providers support (Swisscom LA REST, Afilnet, Clickatell2, eCall, Nexmo, NowSMS, SMSEagle) ENH: New binary images available (version 008) for Virtual Appliances ENH: Better information on the dashboard 2018-08-22 FIX: Additional information and refresh rate in the CLI console ENH: Multiple semicolon separated "Users DN" now supported for AD/LDAP synchronization 2018-07-16 ENH: Active Directory nested groups support (user1 in groupA, groupA in groupB, setting the OTP groups to "groupB" will add user1) ENH: Enhanced AD/LDAP support for huge Microsoft Active Directory (much faster) ENH: "Base DN" and "Users DN" are now two different parameters ("Users DN" is optional) 2018-01-03 FIX: A user is sometime created automatically (AD/LDAP sync) with a leading backslash ENH: Algorithm selection for automatic AD/LDAP creation ENH: Expired AD/LDAP password support ENH: multiOTP Credential Provider (for Windows) improvements ( UPN support, default domain name supported and displayed, SMS request link) 2017-10-24 FIX: Depending of the configuration and the AD/LDAP cache feature, empty prefix AD/LDAP password may be accepted 2017-09-29 ENH: The proposed mOTP generator for Android/iOS is now OTP Authenticator New QRCode provisioning format for mOTP (compatible with OTP Authenticator) 2017-09-08 FIX: Fixed too much detailed information in the log when trying to detect a token serial number for self-registration 2017-05-16 ENH: VM plateform version displayed on the console 2017-05-12 ENH: Web GUI enhanced performance for the hardware device edition 2017-05-10 FIX: A user cannot be created anymore with a leading backslash ENH: A replay during 60 seconds of the previous refused password is rejected, but the error counter is not incremented ENH: Group names are now always trimed to avoid blank spaces ENH: Additional authentication options parameters for fine tuning 2017-01-26 FIX: Better Eastern European languages support ENH: UTC added in the list of time zones ENH: Huge AD/LDAP synchronization optimization ENH: In the template, the proposed TOTP/HOTP generator for Android/iOS is now FreeOTP Authenticator ENH: New "Local admin account" attribute for any user, which allows to log-in as an admin, using their username and their prefix (if any) and OTP password. ENH: An invalid login attempt on the console will sent an alert to the Admin contact (if defined) ENH: Multiple purpose tokens provisioning format PSKCV10, like Gemalto e3050cL and t1050 tokens, is now supported. ENH: SOAP service available (compatible with OpenOTP SOAP service) ENH: Multiple groups per user can be enabled (not all devices support multiple groups) ENH: Using AD/LDAP password instead of PIN code can be overwritten or not for all synchronized users 2016-11-14 FIX: New customized templates were not always used by the system ENH: Syslog process improved ENH: Log messages better categorized and ordered ENH: RC4 removed from available SSL ciphers 2016-11-04 ENH: Performance optimization ENH: External packages update 2016-10-16 ENH: Performance optimization 2016-10-03 FIX: SSL connection was not working well due to security upgrade 2016-10-03 FIX: Fix some configuration backup/restore issue ENH: Accounts can now be created based on other record than the UserId (like the Mail attribute) ENH: Cached requests supported (cached during a specific amount of time, useful for WebDAV authentication) 2016-08-06 FIX: Better enhanced characters support in customized templates ENH: Better restore handling from the open source edition ENH: A try on the previous password is rejected, but the error counter is not incremented ENH: It's now possible to check an account from the dashboard 2016-08-02 FIX: SSL AD/LDAP connection was not always working with Windows 2008R2 2016-07-29 FIX: MS-CHAP and MS-CHAPv2 authentication failed in some specific cases FIX: SSL AD/LDAP also supported with Windows 2012 server FIX: Generated QRcode for mOTP was not compatible with Token2 app FIX: Special AD/LDAP chars support enhanced (as described in RFC4515) ENH: Unified configuration backup and restore format for all editions ENH: User documents language can be based on the user preferred language (synced with AD/LDAP) ENH: Better large AD/LDAP support ENH: AD/LDAP additional log information ENH: The first matching group defined in AD/LDAP group(s) filtering is now defined for the user (this group is returned as the Filter-Id (11) option in a successful RADIUS answer) 2015-07-18 FIX: Creation of new users using AD/LDAP take too long if a welcome mail must be sent FIX: Message said that added license was not successfully added, even if it was ENH: QRcode generation for mOTP (motp://[SITENAME]:[USERNAME]?secret=[SECRET-KEY]) 2015-07-15 FIX: scratch password PDF generation don't crash anymore when enhanced characters are used ENH: multi_account automatic support, based on the description in AD/LDAP ENH: Appliance is now available as a VMware appliance with open vm tools ENH: Appliance is now available as an Hyper-V appliance 2015-06-09 FIX: an empty user name is now directly refused FIX: prefix PIN can contain a minus (-) sign ENH: issuer of the software tokens can be customized (default is multiOTP) ENH: token length error information added in the log ENH: autoresync is now enabled ENH: SSL performance improvement ENH: multiOTP command line client support added (works with MultiOneTimePassword-CredentialProvider) ENH: enhanced information in the log about PDF generation 2014-12-15 FIX: system name can now be modified also on virtual appliance ENH: expired accounts in Active Directory are now also synced as disabled ENH: better generic LDAP sync of the description of the users ENH: better generic LDAP sync of the members of a group ENH: expired or disabled accounts in generic LDAP are now also synced as disabled ENH: online help integrated in the GUI (partial content) 2014-12-09 FIX: bug fix concerning aspsms provider FIX: after some modifications, the GUI was not refreshed correctly FIX: OTP with integrated serial numbers better supported FIX: Poodlebleed Bug fixed (SSLv3 disabled) ENH: AD/LDAP synchronization is quicker and supports bigger trees ENH: generic LDAP support (instead of Microsoft AD support only) ENH: if users are synced with an AD, it's now possible to use the AD/LDAP password instead of the PIN code ENH: provisioning information can be mailed to a single administrator email address ENH: GUI partially redesigned ENH: Yubico OTP support, including keys import ( ENH: scratch password need also the prefix PIN if it's activated 2014-04-13 FIX: Heartbleed bug patched 2014-04-06 FIX: when a user is deleted, the token(s) attributed to this user is/are unassigned FIX: radius operation are back in the log ENH: when email is requested, scratch passwords are also sent as an attached file ENH: better configuration reset button support 2014-03-27 ENH: template models are available from the GUI 2014-03-13 ENH: special chars in user name are now supported (but still not recommended) 2014-03-13 ENH: automatically created user can receive provisioning email automatically ENH: enhanced GUI interface with waiting wheel and status bar ENH: customized template also for the provisioning email ENH: additional options to configure the email server 2014-03-03 ENH: users creation/activation/desactivation based on AD/LDAP content ENH: scheduled configuration backup per FTP or email ENH: better customized templates support ENH: access to the last 512 entries of the log file 2014-02-07 FIX: backend was already logged off, but frontend was still alive FIX: empty token could appears when a hardware token was attributed to a user ENH: MS-CHAP and MS-CHAPv2 authentication support ENH: enhanced GUI with extended options 2014-01-28 First public pre-release OTHER PROJECTS USED BY MULTIOTP PRO =================================== barcode (MIT License) Kreative Software CryptoJS (BSD New) This product contains software provided by Jeff Mott. FreeRADIUS (BSD) This product contains software provided by FreeRADIUS team and its contributors. md5 JavaScript 2010 algorithm (BSD) Joseph Myers, Paul Johnston, Greg Holt, Will Bond Nginx (BSD) This product contains software provided by Nginx, Inc. and its contributors. NuSOAP - PHP Web Services Toolkit (LGPLv2.1) NuSphere Corporation phpseclib (MIT License) MMVI Jim Wigginton PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY (LGPLv2.1) Scott Barnett - enhanced by SysCo Sencha Ext JS (GPLv3) Sencha Inc. TCPDF (LGPLv3) Nicola Asuni XML Parser Class (LGPLv3) Adam A. Flynn - enhanced by SysCo XPertMailer package (LGPLv2.1) Tanase Laurentiu Iulian The source files of the core of multiOTP can be downloaded at ``` Hash verification for SHA256:995a93e2538829144c5bc9700a3d8010503b4881ca0b4c03d7bbad75d225c0b7 SHA1:e6af279943cc617a0dca8413c7219b192802589b MD5:97904a663c7429f79409f3f0ec82f63d ```