multiOTP Pro
============
multiOTP Pro is a strong two-factor authentication device
multiOTP Pro is OATH certified for HOTP/TOTP

(c) 2010-2025 SysCo systemes de communication sa
https://www.multiOTP.com/

Current build: 5.9.9.1 (2025-01-20)

Table of contents
 * What's new in this release
 * Wishlist for future releases
 * Change Log of released versions


WHAT'S NEW IN THIS 5.9.x RELEASE
================================
- New Hyper-V and OVA appliances available (version 011, based on Debian 11)
- Enhanced special ISO characters support (included octal encoded)
- {MultiotpUserAccount} tag can be used in templates
- {MultiotpUserDisplayName} tag (AD/LDAP DisplayName) can be used in templates
- New open source on-premises SMS provider support (https://github.com/multiOTP/SMSGateway)


RASPBERRY PI DISTRIBUTION
=========================
Please note that an optimized Raspberry Pi binary image is
available for any multiOTP Enterprise appliance customer.


MULTIOTP CREDENTIAL PROVIDER
============================
multiOTP Credential Provider is a compatible open source Credential Provider
for Windows 7/8/8.1/10/11/2012(R2)/2016/2019/2022 in 64 bits, with caching
support option (for offline connection), RDP only 2FA, and some other options.
To download it: https://github.com/multiOTP/multiOTPCredentialProvider


CHANGE LOG OF RELEASED VERSIONS
===============================
2025-01-20 5.9.9.1 FIX: Case sensitive issue has been fixed with MSCHAPv2 authentication (thanks Alexey)
                   ENH: Created users are trimmed to avoid bad space prefix/suffix during copy/paste
                   ENH: multiOTP Credential Provider enhanced support
2025-01-10 5.9.8.3 FIX: {MultiotpUserDisplayName} tag usage in templates (was not replaced in the QRcode)
                   ENH: New Message-Authenticator requirement support for FortiGate v7.2.10+, v7.4.5+ and v7.6.1+
2024-08-26 5.9.8.0 ENH: Spryng SMS provider support
                   ENH: Device with description containing "Fortinet" will send two additional RADIUS attributes
                        (ATTRIBUTE Fortinet-Group-Name 1 string, ATTRIBUTE Fortinet-Access-Profile 6 string)
                   ENH: Device with description containing "ZyXEL" will send one additional RADIUS attribute
                        (ATTRIBUTE User-type 1 string admin/limited-admin/user/guest)
2024-05-03 5.9.7.2 FIX: without2fa token can be now correctly converted to TOTP with default 30 seconds time interval
                   FIX: Without2fa tokens with prefix pin where not working with CHAP/MSCHAP/MSCHAPv2
2023-11-23 5.9.7.0 ENH: New Raspberry Pi distribution binary (for Enteprise appliance only)
                   ENH: Upgrade of internal tools
                   INF: This is the last available version for the physical multiOTP Pro 420B device
2023-10-12 5.9.6.9 FIX: Dashboard new firmware information is available again
2023-09-22 5.9.6.7 ENH: Without2FA tokens cannot be used for multi_account connection
2023-08-09 5.9.6.6 FIX: Prefix PIN information was sometimes missing on the provisioning info
                   ENH: New Raspberry Pi distribution binary (for Enteprise appliance only)
2023-07-07 5.9.6.5 FIX: Better Raspberry Pi support (for Enteprise appliance only)
2023-05-10 5.9.6.1 FIX: Automated concurrent access for the same user with "Without2FA" token could corrupt the user file
                   FIX: Template updated to display correct information for "Without2FA" tokens
                   FIX: Enhanced backup process, some configuration may be missing in the backup depending the initial firmware version
                   ENH: Template updated to print bigger QRcode for "MOTP-XML" tokens
                   ENH: Adding on-premises smsgateway (https://github.com/multiOTP/SMSGateway) as a new SMS provider
                   ENH: Better warning messages when ADP/LDAP password failed
2023-01-19 5.9.5.5 FIX: Challenge/response RADIUS was not always working correctly since version 5.9.3.1
2022-11-11 5.9.5.0 ENH: It's now possible to define a special AD/LDAP group to attribute "Without2FA" token to specific users
2022-11-04 5.9.4.0 ENH: Enhanced multiOTP Credential Provider (for Windows)
2022-10-27 5.9.3.2 ENH: New BeagleBone Black based devices have been upgraded to Debian 11
2022-10-21 5.9.3.1 FIX: Better special characters support in username and password
                   FIX: Better special characters support for RADIUS secret
                   ENH: The locked accounts list now also list the temporary delayed accounts
                   ENH: Accounts with Without2FA tokens can now also be stored in cache
2022-08-10 5.9.2.1 ENH: Enhanced Without2FA support, bypassing the 2FA in Credential Provider (for Windows)
2022-06-17 5.9.1.0 FIX: Scratch list was empty in some cases
                   ENH: Enhanced multiOTP Credential Provider (for Windows)
2022-05-26 5.9.0.3 FIX: User account containing octal encoded ISO characters are now also converted to UTF
                   FIX: {MultiOtpVersion} is now correctly replaced in scratchtemplate.html
                   ENH: {MultiotpUserDisplayName} tag (AD/LDAP DisplayName) can be used in templates
2022-05-18 5.9.0.0 FIX: User account containing special ISO characters are now also converted to UTF
                   ENH: New Hyper-V and OVA appliances available (version 011, based on Debian 11)
                   ENH: {MultiotpUserAccount} tag  can be used in templates
2022-04-28 5.8.7.0 ENH: Enhanced log information for refused connection
                   ENH: Code cleaning to support next appliance release
2022-04-14 5.8.6.1 FIX: Token "Without2FA" where not working all time with LDAP users
                   ENH: Telnyx SMS provider support
                   ENH: AD/LDAP synced user with "Without2FA" token don't need any licence
                   ENH: Email token is now supported for multiOTP Credential Provider (for Windows)
                   ENH: multiOTP Credential Provider: if username doesn't exist, the domain name is shortened step by step
2022-02-10 5.8.5.5 FIX: Upgrade process issue
2022-01-20 5.8.5.2 FIX: Device defined with 0.0.0.0/0 is now supported for multiOTP Credential Provider connection
                   FIX: Better mail server compatibility
2022-01-14 5.8.5.1 ENH: Enhanced multiOTP Credential Provider support
2021-11-18 5.8.3.2 ENH: Enhanced multiOTP Credential Provider support
2021-09-14 5.8.3.0 ENH: New OVA file with full VM distribution
                   ENH: Removed multicast support on the network card
2021-08-19 5.8.2.9 ENH: Added compatibility with new multiOTP Credential Provider (5.8.2 and further)
                   ENH: Additional log messages
2021-04-08 5.8.2.1 ENH: eDirectory LDAP server support
2021-03-25 5.8.1.9 FIX: Cookie privacy (httponly and secure) backported to previous virtual appliances
                   ENH: Weak SSL ciphers disabled
2021-03-21 5.8.1.2 ENH: Up to 7 days log entries available in the embedded log viewer
                   ENH: Storage free space information on dashboard
2021-03-14 5.8.1.1 FIX: In some cases, the HOTP/TOTP was not well computed
2021-02-12 5.8.1.0 FIX: Better unicode handling
                   ENH: Flexible licence support with demo licences
2020-09-20 5.8.0.2 ENH: New Sync Delete Retention Days option in order to purge
                        inexistent AD/LDAP users (default retention value : 30 days)
2020-08-31 5.8.0.0 FIX: Clean automatically the log before the last 100 days
                   FIX: Too many ReadConfigData loop during initialization
                   FIX: Backend configuration access optimized
                   FIX: Better unicode handling
                   ENH: Cookies with HTTPOnly and Secure flag
                   ENH: Raspberry Pi 4B support
                   ENH: Smaller size for binary firmware files
                   ENH: Better custom Fortinet / ZyXEL support
2019-10-23 5.6.1.4 FIX: Configuration storage handling
                   ENH: Generic web based SMS provider support
2019-10-22 5.6.1.3 ENH: Out of sync detection with specific error message
                   ENH: New 64 bits OVA file with full VM distribution
                   ENH: Enhanced custom SMS providers support
2019-07-17 5.5.0.1 FIX: Devices submask calculation error
2019-03-25 5.4.1.8 ENH: Enhanced error messages, more log information
                   ENH: New QRcode library
                   ENH: Added specific vendor device expert setup
2019-01-18 5.4.1.6 FIX: Update process for previous VM distribution
2019-01-18 5.4.1.4 FIX: Better IP address change handling
                   ENH: If any, clean specific NTP DHCP option at every reboot
2019-01-07 5.4.1.1 FIX: Fix some without2FA algorithm issues
                   FIX: Fix some RADIUS challenge/response issues
                   ENH: Additional web based SMS providers support
                        (Swisscom LA REST, Afilnet, Clickatell2, eCall, Nexmo, NowSMS, SMSEagle)
                   ENH: New binary images available (version 008) for Virtual Appliances
                   ENH: Better information on the dashboard
2018-08-22 5.3.0.1 FIX: Additional information and refresh rate in the CLI console
                   ENH: Multiple semicolon separated "Users DN" now supported for AD/LDAP synchronization
2018-07-16 5.2.0.2 ENH: Active Directory nested groups support
                        (user1 in groupA, groupA in groupB, setting the OTP groups to "groupB" will add user1)
                   ENH: Enhanced AD/LDAP support for huge Microsoft Active Directory (much faster)
                   ENH: "Base DN" and "Users DN" are now two different parameters ("Users DN" is optional)
2018-01-03 5.1.0.1 FIX: A user is sometime created automatically (AD/LDAP sync) with a leading backslash
                   ENH: Algorithm selection for automatic AD/LDAP creation
                   ENH: Expired AD/LDAP password support
                   ENH: multiOTP Credential Provider (for Windows) improvements
                        (login@domain.name UPN support, default domain name supported and displayed, SMS request link)
2017-10-24 5.0.5.4 FIX: Depending of the configuration and the AD/LDAP cache feature, empty prefix AD/LDAP password may be accepted
2017-09-29 5.0.5.3 ENH: The proposed mOTP generator for Android/iOS is now OTP Authenticator
                        New QRCode provisioning format for mOTP (compatible with OTP Authenticator)
2017-09-08 5.0.5.0 FIX: Fixed too much detailed information in the log when trying
                        to detect a token serial number for self-registration
2017-05-16 5.0.4.4 ENH: VM plateform version displayed on the console
2017-05-12 5.0.4.3 ENH: Web GUI enhanced performance for the hardware device edition
2017-05-10 5.0.4.1 FIX: A user cannot be created anymore with a leading backslash
                   ENH: A replay during 60 seconds of the previous refused password is rejected,
                        but the error counter is not incremented
                   ENH: Group names are now always trimed to avoid blank spaces
                   ENH: Additional authentication options parameters for fine tuning
2017-01-26 5.0.3.4 FIX: Better Eastern European languages support
                   ENH: UTC added in the list of time zones
                   ENH: Huge AD/LDAP synchronization optimization
                   ENH: In the template, the proposed TOTP/HOTP generator for Android/iOS is now FreeOTP Authenticator
                   ENH: New "Local admin account" attribute for any user, which allows to log-in as
                        an admin, using their username and their prefix (if any) and OTP password.
                   ENH: An invalid login attempt on the console will sent an alert to the Admin contact (if defined)
                   ENH: Multiple purpose tokens provisioning format PSKCV10,
                        like Gemalto e3050cL and t1050 tokens, is now supported.
                   ENH: SOAP service available (compatible with OpenOTP SOAP service)
                   ENH: Multiple groups per user can be enabled (not all devices support multiple groups)
                   ENH: Using AD/LDAP password instead of PIN code can be overwritten or not for all synchronized users
2016-11-14 5.0.3.0 FIX: New customized templates were not always used by the system
                   ENH: Syslog process improved
                   ENH: Log messages better categorized and ordered
                   ENH: RC4 removed from available SSL ciphers
2016-11-04 5.0.2.6 ENH: Performance optimization
                   ENH: External packages update
2016-10-16 5.0.2.5 ENH: Performance optimization
2016-10-03 5.0.2.3 FIX: SSL connection was not working well due to security upgrade
2016-10-03 5.0.2.2 FIX: Fix some configuration backup/restore issue
                   ENH: Accounts can now be created based on other record than the UserId (like the Mail attribute)
                   ENH: Cached requests supported (cached during a specific amount of time, useful for WebDAV authentication)
2016-08-06 5.0.1.5 FIX: Better enhanced characters support in customized templates
                   ENH: Better restore handling from the open source edition
                   ENH: A try on the previous password is rejected, but the error counter is not incremented
                   ENH: It's now possible to check an account from the dashboard
2016-08-02 5.0.1.4 FIX: SSL AD/LDAP connection was not always working with Windows 2008R2
2016-07-29 5.0.1.3 FIX: MS-CHAP and MS-CHAPv2 authentication failed in some specific cases
                   FIX: SSL AD/LDAP also supported with Windows 2012 server
                   FIX: Generated QRcode for mOTP was not compatible with Token2 app
                   FIX: Special AD/LDAP chars support enhanced (as described in RFC4515)
                   ENH: Unified configuration backup and restore format for all editions
                   ENH: User documents language can be based on the user preferred language (synced with AD/LDAP)
                   ENH: Better large AD/LDAP support
                   ENH: AD/LDAP additional log information
                   ENH: The first matching group defined in AD/LDAP group(s) filtering is now defined for the user
                        (this group is returned as the Filter-Id (11) option in a successful RADIUS answer)
2015-07-18 4.3.2.6 FIX: Creation of new users using AD/LDAP take too long if a welcome mail must be sent
                   FIX: Message said that added license was not successfully added, even if it was
                   ENH: QRcode generation for mOTP (motp://[SITENAME]:[USERNAME]?secret=[SECRET-KEY])
2015-07-15 4.3.2.5 FIX: scratch password PDF generation don't crash anymore when enhanced characters are used
                   ENH: multi_account automatic support, based on the description in AD/LDAP
                   ENH: Appliance is now available as a VMware appliance with open vm tools
                   ENH: Appliance is now available as an Hyper-V appliance
2015-06-09 4.3.2.2 FIX: an empty user name is now directly refused
                   FIX: prefix PIN can contain a minus (-) sign
                   ENH: issuer of the software tokens can be customized (default is multiOTP)
                   ENH: token length error information added in the log
                   ENH: autoresync is now enabled
                   ENH: SSL performance improvement
                   ENH: multiOTP command line client support added (works with MultiOneTimePassword-CredentialProvider)
                   ENH: enhanced information in the log about PDF generation
2014-12-15 4.3.1.1 FIX: system name can now be modified also on virtual appliance
                   ENH: expired accounts in Active Directory are now also synced as disabled
                   ENH: better generic LDAP sync of the description of the users
                   ENH: better generic LDAP sync of the members of a group
                   ENH: expired or disabled accounts in generic LDAP are now also synced as disabled
                   ENH: online help integrated in the GUI (partial content)
2014-12-09 4.3.1.0 FIX: bug fix concerning aspsms provider
                   FIX: after some modifications, the GUI was not refreshed correctly
                   FIX: OTP with integrated serial numbers better supported
                   FIX: Poodlebleed Bug fixed (SSLv3 disabled)
                   ENH: AD/LDAP synchronization is quicker and supports bigger trees
                   ENH: generic LDAP support (instead of Microsoft AD support only)
                   ENH: if users are synced with an AD, it's now possible to use the AD/LDAP password instead of the PIN code
                   ENH: provisioning information can be mailed to a single administrator email address
                   ENH: GUI partially redesigned
                   ENH: Yubico OTP support, including keys import (http://yubico.com/yubikey)
                   ENH: scratch password need also the prefix PIN if it's activated
2014-04-13 4.2.4.2 FIX: Heartbleed bug patched
2014-04-06 4.2.4.1 FIX: when a user is deleted, the token(s) attributed to this user is/are unassigned
                   FIX: radius operation are back in the log
                   ENH: when email is requested, scratch passwords are also sent as an attached file
                   ENH: better configuration reset button support
2014-03-27 4.2.3.9 ENH: template models are available from the GUI
2014-03-13 4.2.3.1 ENH: special chars in user name are now supported (but still not recommended)
2014-03-13 4.2.3.0 ENH: automatically created user can receive provisioning email automatically
                   ENH: enhanced GUI interface with waiting wheel and status bar
                   ENH: customized template also for the provisioning email
                   ENH: additional options to configure the email server
2014-03-03 4.2.2.0 ENH: users creation/activation/desactivation based on AD/LDAP content
                   ENH: scheduled configuration backup per FTP or email
                   ENH: better customized templates support
                   ENH: access to the last 512 entries of the log file
2014-02-07 4.1.2.0 FIX: backend was already logged off, but frontend was still alive
                   FIX: empty token could appears when a hardware token was attributed to a user
                   ENH: MS-CHAP and MS-CHAPv2 authentication support
                   ENH: enhanced GUI with extended options
2014-01-28 4.1.1.1 First public pre-release


OTHER PROJECTS USED BY MULTIOTP PRO
===================================

barcode (MIT License)
Kreative Software
https://github.com/kreativekorp/barcode

CryptoJS (BSD New)
This product contains software provided by Jeff Mott.
https://code.google.com/p/crypto-js/

FreeRADIUS (BSD)
This product contains software provided by FreeRADIUS team and its contributors.
http://freeradius.org/

md5 JavaScript 2010 algorithm (BSD)
Joseph Myers, Paul Johnston, Greg Holt, Will Bond
http://www.myersdaily.org/joseph/javascript/md5-text.html

Nginx (BSD)
This product contains software provided by Nginx, Inc. and its contributors.
http://nginx.org/

NuSOAP - PHP Web Services Toolkit (LGPLv2.1)
NuSphere Corporation
http://sourceforge.net/projects/nusoap/

phpseclib (MIT License)
MMVI Jim Wigginton
http://phpseclib.sourceforge.net/

PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY (LGPLv2.1)
Scott Barnett - enhanced by SysCo
http://adldap.sourceforge.net/

Sencha Ext JS (GPLv3)
Sencha Inc.
http://cdn.sencha.com/ext/gpl/4.2.1/

TCPDF (LGPLv3)
Nicola Asuni
https://tcpdf.org/

XML Parser Class (LGPLv3)
Adam A. Flynn - enhanced by SysCo
http://www.criticaldevelopment.net/xml/

XPertMailer package (LGPLv2.1)
Tanase Laurentiu Iulian
http://xpertmailer.sourceforge.net/


The source files of the core of multiOTP can be downloaded at
https://download.multiOTP.net/
