What does LinOTP’s API-first development mean for you?

LinOTP – the open source MFA solution – is developed with an API-first strategy in mind. For us at KeyIdentity this does not mean to dogmatically follow each and every REST guideline but to think about the easiest yet most flexible way of introducing new features to our API in terms of simplicity of integration before the feature is actually implemented, while remaining backwards compatibility. Therefore, our API for all of our customers is feature complete.
For an integration product such as LinOTP, an easy integration into the user’s environment is probably the most important key feature. While historically LinOTP’s most used integration practice is based on the RADIUS protocol together with the FreeRADIUS server shipped with the KeyIdentity LinOTP Smart Virtual Appliance (SVA), the HTTP based API recently gains more and more importance. Especially for web applications LinOTP’s HTTP based API allows for easier and deeper integrations.
LinOTP features a stateless HTTP based API for validation, returning responses in the simple-to-parse JSON format. Request parameters may be sent as URL encoded data in a POST request’s body. This article will show what the API-first strategy means for you and how to integrate LinOTP into your own web applications.
To demonstrate LinOTP’s API by example, we show you how to integrate the QR Token into your environment.

How to integrate the KeyIdentity QR Token into your web application

The KeyIdentity QR Token introduced with LinOTP 2.9 is a smartphone based token used for securing authentications and transactions. To use the QR Token on your smartphone you need to install the KeyIdentity authenticator app for Android or iOS.
Unlike the OATH (Initiative for Open Authentication) tokens it features asymmetric cryptography. This allows your private key to stay solely on your smartphone while LinOTP only needs your public key for verifying your TANs or signatures. The private key is used to sign a payload (challenge) sent to the device via a QR Code.
Since you can include transaction data in the challenge the QR Token can be used for securing transactions. Thinking of online banking a TAN or signature generated for a transfer of 20$ to account A is only valid for this specific transfer and cannot be used by a man-in-the-middle attacker for legitimating other transactions.
The QR Token features an offline mode for smartphones without an internet connection. Instead of automatically sending the signature to LinOTP, a TAN is displayed in the authenticor app and can be entered to the web application manually.
Further, the QR Token may be used to enforce device separation.

In case you don’t need the offline mode or device separation you should have a look at the KeyIdentity Push Token recently introduced in LinOTP 2.9.1 for further improved usability. Integrating the Push Token is very similar to the steps shown below.


Integrating the KeyIdentity QR Token is as simple as implementing three API calls (only two in case you don’t want to support the offline mode).

Step 1

The first step is used to trigger a challenge containing the transaction data. Simply send an HTTP POST request to LinOTP’s “/validate/check” function containing the user to create the challenge for (“user”), the transaction data (“data”) and the user’s token PIN (“pass”). Depending on the configured otppin policy the token PIN is interpreted as a separate PIN per token, the user’s LDAP password or it is empty and ignored (“only_otp”).

$ curl --data "user=testuser&pass=&data=Transaction data%3A%0A%0AAmount%3A 10EUR%0ATo account%3A 12345678" https://[LINOTP]/validate/check

   "detail": {
      "linotp_tokenserial": "LSQR00165BA8",
      "transactionid": "562599548041",
      "message": "lseqr://chal/ASoAAADfWk97VrI6-qwSjbPzsw3L2ozi3m5Pd68yrGAWoereKjBxRqUa2-ujKvQZE6USlQe7k-y4RGgADs8zSjw_6U8mjYaageW-IxB_tYmjAsOKT0djGEyVdJmU3rG1zEZ1_aau7SmvVyaj_hNYGlmGvY4_IF2K1OGCt5z1AwgSANxp0SRPqqUs4XIgDdxNd6hOwHMyK0ZtUey0O_wd837uwhVDPi_w",
      "linotp_tokentype": "qr"
   "version": "LinOTP 2.9.1",
   "jsonrpc": "2.0802",
   "result": {
      "status": true,
      "value": false
   "id": 0

The JSON response contains an object called “detail” which includes the “transactionid” of the triggered challenge. This ID is a handle to the specific transaction and should be kept in memory for the steps to follow. The “message” field contains the challenge blob and must be presented to the user as a QR code. Libraries creating QR codes from strings are available for almost every programming language used to build web applications.

Step 2

Once the user scans the QR code the authenticator app sends the challenge response to the URL defined in the authentication policy scope, which is encoded in the QR code. For easiest integration this URL can be configured to point at the LinOTP server itself (see the note below for another integration technique). This allows the authenticator app to communicate directly with LinOTP and therefore does not need any additional API endpoints in your web application.
To get the current status of the transaction the web application can poll the “/validate/check_status” function. The needed parameters are “user” and “pass” (see step 1) and the “transactionid” received in the previous JSON response. Once LinOTP receives a successful response to the transaction challenge, the “valid_tan” field in the “detail.transactions.” object is set to “true”. Otherwise, this field’s value will be “false”.

$ curl --data "user=testuser&pass=&transactionid=562599548041" https://[LINOTP]/validate/check_status

    "detail": {
        "transactions": {
            "752931684012": {
                "status": "open",
                "token": {
                    "serial": "LSQR00165BA8",
                    "type": "qr"
                "received_tan": false,
                "message": "lseqr://chal/ASoAAADfWk97VrI6-qwSjbPzsw3L2ozi3m5Pd68yrGAWoereKjBxRqUa2-ujKvQZE6USlQe7k-y4RGgADs8zSjw_6U8mjYaageW-xB_tYmjAsOKT0djGEyVdJmU3rG1zEZ1_aau7SmvVyaj_hNYGlmGvY4_IF2K1OGCt5z1AwgSANxp0SRPqqUs4XIgDdxNd6hOwHMyK0ZtUey0O_wd837uwhVDPi_w",
                "received_count": 0,
                "valid_tan": false
    "version": "LinOTP 2.9.1",
    "jsonrpc": "2.0802",
    "result": {
        "status": true,
        "value": true
    "id": 0

Polling “/validate/check_status” is the easiest way of integrating the QR Token into your application. However, polling techniques may not be suitable for specific usecases, i.e. polling may cause significant workload for applications with many transactions.
For deeper integration and avoiding polling, LinOTP’s qrtoken_challenge_callback_url policy can be configured to point at an API endpoint of your web application. This endpoint should act as a reverse proxy to LinOTP’s “/validate/check_t” function. The validity of the received challenge response can be obtained directly from the “check_t” JSON response.

Step 3 – Offline Support

In case the user’s smartphone has no access to the internet during authentication, an 8-digit TAN is displayed to the user. For supporting this offline fallback method the web application may offer an input field. The TAN’s validity is checked against “/validate/check” using the parameters “user”, “transactionid” and “pass” with “pass” being the entered TAN. A boolean “true” in “result.value” is returned on a valid TAN, a boolean “false” otherwise.

$ curl --data "user=testuser&pass=35050186&transactionid=562599548041" https://[LINOTP]/validate/check

    "version": "LinOTP 2.9.1",
    "jsonrpc": "2.0802",
    "result": {
        "status": true,
        "value": true
    "id": 0

And that’s it. These three simple steps are enough to integrate the KeyIdentity QR Token into your web applications and to take the first step to secure your users’ data as well as their transactions.

Is your password putting you at risk?

One major cause of data breaches is the stolen password. Once hackers have an email address and password, a world of possibilities are open to them. The dangers are not just limited to the account they have access to. Their hacker’s next steps usually include not only selling the details to other criminals but also “credential stuffing”; taking the login details for one account and trying it on others. Imagine if your ISP account was hacked – your work email, online shopping and other accounts most people possess would be targeted.

Companies would do well to introduce Two Factor or Multi-Factor Authentication to protect their employee and customer digital identities. Put simply, this requires another authentication criteria to be satisfied before granting access to a site or account. Many large corporates are turning to 2FA to help derisk their customer’s exposure to a data theft. Sony Playstation, Apple, Instagram, and Gmail all offer this additional security measure.

Simply put Two Factor Authentication, requires two out of three regulatory-approved authentication variables such as:

  • Something you know (such an email password).
  • Something you have (the physical bank card or an authenticator token, which can be hardware or digital).
  • Something you are (biometrics like your finger print or iris pattern).

The majority of attacks come from remote connections and 2FA can make distance attacks much less of a threat because accessing passwords is not sufficient for access and it is unlikely that the attacker would also possess the physical device associated with the user account. Take the Dropbox account holder hack for example. Hackers are unlikely to take your credentials and use them successfully on a second website if they are asked to provide a unique one-off code. It’s just too much work for them unless the gains are incredibly high. Each additional authentication factor makes a system more secure. Because the factors are independent, compromise of one account should not lead to the breach of others.

If your employer has a significant online presence, I would urge them to explore the potentials gains of 2FA. Of course KeyIdentity offers multiple solutions here, but irrespective of vendor the key principle is passwords alone are insufficient to provide adequate safeguards in the face of threats are expanding in scope and volume. Authentication should be able to perform whether you are online or offline, and in way that minimises user disruption. One of my favorite examples is Blizzard, the company who create games such as World of War Craft and Diablo, have a free authenticator, and it seems to work very effectively.

To sum up, if you want to avoid data about yourself, your company or organization and your customers being accessed:

  • Make your password non predictable and use unique passwords for each and every application
  • Check the privacy settings on any social media accounts, and turn them on if you haven’t already
  • Don’t use real birthdays and other identifiable data unless you really need to. Receiving a “Happy Birthday” email from a loyalty card provider a few days early or late is preferable to sharing a major personal identifier.
  • Do not enter easy answers to password forgetten questions. Best case choose something as answer that has nothing to do with the question at all. An example: What is the name of your dog? Answer:”I love companies that makes it so easy to attackers to steal my identity”.
  • Explore the benefits for 2FA or MFA inside your organization and look for it when you sign up for a new online service or similar.

Lastly, stay alert to any news of data breaches and immediately change your password or create a new account if you believe you have been affected. Don’t forget to also consider where else you may have used the same password and personal details. Hackers are constantly trying to get the better of us, so don’t give them any extra chances to succeed.


Why biometric authentication isn’t a silver bullet

There has been a lot of noise in the press recently about the rising tide of biometric authentication. The concept has been around for longer than many might think. For example, facial recognition was tested at the Superbowl in 2001, though the results were not widely circulated.

A few pioneering companies (particularly banks) are rolling out biometric trials, such as Standard Chartered in Asia, with finerprint and later voice recognition. In Singapore in particular, two rivals have both piloted voice authentication, DBS for customers dialling their call centre and OCBC for transaction authentication.

It’s not surprising – think of all the positives; easy-to-use, unique to the user, hard to share, tied to the individual’s own physical attributes and frankly, „cool“, as there is a sense of this is how our identities should be verified in a digital age.

Nothing could be meet the „something you are“ requirement than your voice, fingerprint or retina, so how can there be any downsides?

No security solution is without its drawbacks, and in the face of the biometric bandwagon, awareness of the following challenges helps balanced decision-making with all of the facts to hand:

You can’t change a fingerprint or retina scan: whilst of course this is in one sense a strength, it’s also a weakness. If your fingerprint is stolen and then used elsewhere there could be major financial and other wider implications. Unlike refreshing a password, how do you create a new fingerprint? It’s not so easy.

Biometrics are hackable: yes, even your fingerprints are. Tsutomo Masumoto made a working model based on „gummy bear“ material, initially from a live fingerprint and later from a fingerprint left on a physical object.

Creepy vs cool: a recent retail study found signifcant dfferences aomgst consumers in how they viewed a store’s knowledge about them. Whilst some groups saw recognising them by name as they walked the floor as „cool“, others found the possession of certain information to be „creepy“. Not every user wants to share their physical details with a retail outlet for example.

Legalities: data security and privacy are seen as highly important in Germany, and whilst there are variations amongst countries in the way these topics are viewed, who holds biometric data, where they store it, how it is used, and which organisations they share this with have many political, ethical and legal implications, and given how new biometrics are, many legal precedents have not yet been established. Facial recognition is legal in many US states for example, yet in other parts of the world this may not be the case.

False positives: Imagine the accuracy of biometric readings is 98-99% – that’s pretty good, no? Not if you have 10,000 employees entering offices around the world or logging in each day. 98% accuracy means 200 colleagues will not be able to start work on time. Imagine an issue with a fingerprint sensor at an entry door to the building and the queue of impatient co-workers behind the unfortunate blocked user. How many security teams look forward to a mass resetting of entry systems?

Individual use vs high volume: whilst fingerprint recognition might work to access a personal smartphone, it may not be suitable for far higher volume authetication requirements. If hundreds of people are entering a building at the same time,

Don’t underestimate a hacker’s determination: with every new security technology announced, there is sure to be a group of hackers eagerly awaiting the challenge of overcoming it, biometric or not. Retina and facial recognition for example is already being tricked by hi-res photographs of the individual, 3D models and more. Phone calls can be recorded to capture voices, keyboard strokes recorded to learn the typing cadence, and so forth. Whilst this is a lot of work to crack each account, high net worth individuals or celebrities may be viewed as targets worth investing time in.

If you’d like to dive deeper into the topic, there is a great Wired article summarising the legal, technical and ethical complexity involved in biometric authentication.

In the meantime, review any authentication option with an open mind and keep asking the „What if?“ questions. Explore the volume of users, use cases and level of security required; not every solution matches every scenario.


LSE announces a number of new product updates for multi-factor authentication

Germany-based LSE Leading Security Experts GmbH, a holding of MAX21 Management und Beteiligungen AG (stock market symbol: MA1, ISIN: DE000A0D88T9), will expand its family of adaptive multi-factor authentication products during the second quarter of 2016. Among other updates, an offline authentication facility will be gradually integrated into the product suite. Unlike conventional OTP tokens, this new approach enables strong authentication even without a direct connection to the LSE LinOTP server.

LSE LinOTP Offline Authentication

This cross-product feature will allow companies to provide mobile workers with a secure form of offline authentication. This is particularly relevant for employees who travel a lot, or who work abroad without a direct connection to the company’s network and thus the backend OTP server. “Previously, secure two-factor authentication methods with OTP were limited to devices with a permanent network connection. Now mobile devices such as notebook computers can also be protected with real and cryptographically valid multifactor authentication schemes,” says Sven Walther, Managing Director and CTO of LSE Leading Security Experts GmbH.

Unlike other solutions being marketed, the process developed by LSE does not require secret material to be stored on the system being authenticated. The feature will become available to customers during the second quarter of 2016 through update releases of LSE LinOTP, LSE LinOTP authentication providers, and the new LSE LinOTP multi-token app.

LSE LinOTP Multi-Token App: OATH compliant

The LSE LinOTP multi-token app is an integral component of the new LinOTP family of offline authentication products. In addition to the LSE LinOTP QR token, the multi-token app supports tokens for OATH TOTP and HOTP and is therefore compatible with all OATH-based systems (like Google, Dropbox, Github, and many others). Access to the app’s data is password-protected by default. Key data can be transmitted in conjunction with LinOTP in a separately protected secure roll-out process. Initially, this solution will be available for iOS and Android.

RPM packages for simplified installation of Red Hat-based systems

During the second quarter of 2016, LSE will provide its customers with LinOTP repositories containing RPM packages. This expands the support of packaged deployment to systems based on RHEL 7 and RHEL 6. The installation for Red Hat-based systems will be streamlined and allows faster deployment using various optimized configuration templates. The LSE LinOTP RPM packages for RHEL 6/7-based systems supplement the LSE range of packages for Debian “Jessie” 8, Ubuntu 12.04, and Ubuntu 14.04.

LSE LinOTP authentication provider for Microsoft Windows and OS X®

In the course of regular product updates, the family of LSE LinOTP authentication providers will expand to include the OS X® operating system in addition to the Microsoft Windows and Linux operating systems, and for the first time offer OS X® strong offline authentication with access to LSE LinOTP. The LSE LinOTP authentication provider for Microsoft Windows will be enhanced to allow a direct connection of the LinOTP API via encrypted channels based on HTTPS.

About LSE Leading Security Experts GmbH

Since its establishment in 2002, LSE Leading Security Experts GmbH, based in Darmstadt / Weiterstadt, has made a name for itself as a leading manufacturer in the field of login security and user authentication as well as a provider of consulting services in the security industry. Within the company there are two independent operating divisions: The first division specializes in adaptive multi-factor authentication (MFA/2FA) and the specially developed open-source LSE LinOTP technology, the second division provides penetration testing, vulnerability assessment and code review services. Customers of LSE include national and international corporate customers, financial institutions, government agencies, and small and medium-sized enterprises. LSE is a part of the listed MAX21 group of companies (MA1).

Strategische Entscheidung für sehr hohes Sicherheitsniveau: Die Bedag Informatik AG setzt auf Multi-Faktor-Authentifizierung mit LSE LinOTP

Die LSE Leading Security Experts GmbH hat mit der Bedag Informatik AG eine Partnerin gewonnen, die als führendes Schweizer IT-Dienstleistungsunternehmen gilt und die hauptsächlich öffentliche Verwaltungen und Betriebe der Schweiz, Unternehmen im Gesundheits- und Versicherungswesen sowie UN-Organisationen zu ihren Kunden zählt. Die Firma befindet sich zu 100 Prozent im Eigentum des Schweizer Kantons Bern.

Die Bedag setzt LinOTP bereits in ihrem eigenen Unternehmen ein und hat die LSE-Multi-Faktor-Authentifizierung zuletzt auch bei der Verwaltung des Kantons Bern integriert. Der Einsatz von Zwei-Faktor- oder Multi-Faktor-Authentifizierung (MFA/2FA) bei LinOTP ist für Kunden dabei eine strategisch wichtige Maßnahme, um höchsten Ansprüchen an die IT-Sicherheit zu genügen.

Durch die Verwendung von Einmalpasswörtern (OTP = One Time Password) ergänzt LSE LinOTP bereits vorhandene Komponenten um die Abfrage mit einem weiteren Faktor, dem Einmalpasswort, erstellt durch OTP-Generatoren, mit Hardware-Token, Smartphone App, per E-Mail oder SMS. LSE LinOTP kann für die unterschiedlichsten Szenarien genutzt werden, bei denen eine hohe Anmeldesicherheit erwünscht ist, so die Anmeldung an Web-Diensten und -Portalen, VPN­Lösungen, Terminalservern, Clients, oder kundenspezifischen Anwendungen, aber auch für Cloud­Dienste und BYOD-Nutzungsmodelle (Bring Your Own Device).

Die Bedag hat für den Kanton Bern eine Standortlizenz (Site License) für eine unlimitierte Anzahl von Token bei der LSE erworben. Die Lösung der LSE – bestehend aus LSE LinOTP in Kombination mit der LSE LinOTP Smart Virtual Appliance – konnte sich im Rahmen einer vorangegangen, ausführlichen Evaluierung behaupten. Im ersten Schritt des allgemeinen Rollouts, der derzeit bereits erfolgt, liegt der Hauptfokus auf Applikationsanbindungen per Radius-Protokoll sowie auf der Einbindung der Citrix-Gateways, der Microsoft Outlook Web App (OWA) und der Mobilitätslösungen in das neue Sicherheitskonzept. Schwerpunkt dabei sind zunächst die Remote-Zugänge. Derzeit werden etwa 15.000 Arbeitsplätze des Kantons Bern umgestellt, um das hohe Maß an Sicherheit zu gewährleisten, welches im Umgang mit Personen-, Steuerdaten usw. unabdingbar ist.

„Die Bedag hat sich bewusst für die Multi-Faktor-Authentifizierungslösung LSE LinOTP entschieden. Dieses Open-Source-Produkt überzeugt uns durch seine transparente Technologie, Herstellerunabhängigkeit, Supportqualität und Kosteneffizienz. Ein wichtiger Faktor ist ferner die Mehrsprachigkeit. Neben Deutsch und Englisch punktet LSE LinOTP mit Französisch, was für Kunden in der mehrsprachigen Schweiz sehr wichtig ist“, erklärte Peter Schmutz, CEO der Bedag Informatik AG.

„Wir freuen uns sehr über diesen bedeutenden Auftrag aus der Schweiz, der über unseren LSE-LinOTP-Partner Bedag zustande gekommen ist. Datenschutz und Datensicherheit sind gerade in der öffentlichen Verwaltung ein großes Thema. Die sichere Benutzeranmeldung mittels starker Authentisierung ist eine entscheidende Komponente im Gesamtsicherheitskonzept von Behörden, aber auch Unternehmen. Die plattformübergreifende Lösung mit LSE LinOTP hilft, solche Sicherheitsziele erfolgreich umzusetzen“, kommentierte Sven Walther, Geschäftsführer und CTO der LSE Leading Security Experts GmbH.

Über LinOTP          

LSE LinOTP ist eine adaptive Multi-Faktor-/ Zwei-Faktor-Authentifizierungslösung (MFA/ 2FA), welche herstellerunabhängig verschiedenste Verfahren, Token und Tokenformfaktoren unterstützt. Dank der hochmodularen Architektur bietet LSE LinOTP ein breite Anbindung von Authentisierungsprotokollen, Datenbanken und Schnittstellen . Die für Transparenz stehende Open Source-Technologie der LSE ist mandantenfähig, leicht skalierbar, bedienerfreundlich und lässt sich durch die LSE LinOTP Smart Virtual Appliance (SVA) schnell und einfach integrieren. Mit Hilfe von LSE LinOTP Enterprise Lösungen können Unternehmen höchste Sicherheitsanforderungen in Ihrer Produktivumgebung mühelos durchsetzen.

Über die LSE Leading Security Experts GmbH

Die LSE Leading Security Experts GmbH mit Sitz in Darmstadt/Weiterstadt hat sich seit ihrer Gründung im Jahr 2002 einen Namen als führender Hersteller im Bereich Anmeldesicherheit und Benutzerauthentifizierung sowie als Consulting-Dienstleister in der Security-Branche gemacht. Innerhalb des Unternehmens operieren zwei Geschäftsbereiche unabhängig voneinander: Der erste Bereich ist auf die adaptive Multi-Faktor-Authentifizierung (MFA/2FA) mit der eigens entwickelten Open-Source-Technologie LSE LinOTP spezialisiert, der zweite Bereich bietet Penetrationstests, Schwachstellenanalysen und Code Reviews als Dienstleistung an. Zu den Kunden der LSE zählen nationale und internationale Großkunden, Finanzinstitute, Behörden sowie mittelständische Unternehmen. LSE gehört zur börsennotierten MAX21-Unternehmensgruppe (MA1).

Über die Bedag Informatik AG

Die Bedag ist mit einem Umsatz von über 100 Mio. Franken ein führendes schweizerisches IT-Dienstleistungsunternehmen. Mit über 400 Mitarbeiterinnen und Mitarbeitern – wovon über 20 Lernende – verfügt sie über ein breites und fundiertes Informatik-Know-how. Ihr Kerngeschäft ist die Entwicklung, die Wartung und der Betrieb von geschäftskritischen Informatiklösungen. Damit ermöglicht sie ihren Kunden einen wirtschaftlichen und sorgenfreien Informatikeinsatz. Mit einem Netz von hochsicheren Rechenzentren sowie Standorten in Bern, Aarau, Delémont, Genf, Lausanne und Wettingen ist sie regional stark präsent. Ihre Kunden sind hauptsächlich öffentliche Verwaltungen und Betriebe, Unternehmen im Gesundheits- und Versicherungswesen sowie UN-Organisationen. Die Bedag wurde 1990 gegründet und befindet sich im Eigentum des Kantons Bern.

Weitere Informationen unter:



LSE introduces the new version of its multi-factor authentication and OTP solution: LinOTP 2.8.1 supports multiple languages and has improved features

LSE Leading Security Experts GmbH is introducing LinOTP 2.8.1, the latest version of its vendor independent solution for adaptive multi-factor and 2-factor authentication and OTP processes (OTP: one time passwords).

LSE is now offering its latest LinOTP version in Spanish, French, Italian, and simplified Chinese in addition to the previously available English and German. In addition to the expanded available languages, LinOTP 2.8.1 has new features for monitoring and improved capabilities for server migration and complex setups. The improved user filters and support for HSM (hardware security module) migrations are also new.

With the additional languages, LSE has consistently continued to internationalise the LinOTP product line. The larger selection of available languages applies to both the self-service user portal as well as the management interfaces. “We appreciate the opportunity to provide more users worldwide with multi-factor- or two-factor-authentication,” states Sven Walther, Managing Director and CTO of LSE Leading Security Experts GmbH.

New options for monitoring

LSE is introducing a new API for monitoring internal LinOTP processes with LinOTP 2.8.1. This provides, for example, information on the statistics and the status of the tokens, the status of the HSM (hardware security module) encoding, and the status of the UserIDResolver with configurable permissions.

Improved features for server migration and complex setups

Previous features for routing registration data to other authentication servers have been improved with options for generic routing. This means migration scenarios and complex setups with multiple LinOTP instances are easier to model and administer.

Improved user filters

Today’s enterprise environments require a differentiated approach to user policy management. LinOTP 2.8.1 adds options for managing the configurations and policies based on user groups, user attributes, and regular expressions. This considerably simplifies detailed and complex permission scenarios in the setup.


HSM migration

In the new version of LinOTP it is now possible to migrate an HSM or a corresponding HSM cluster. LinOTP 2.8.1 includes features and tools to migrate data between two HSMs and thus makes it easier to update the HSM hardware. LinOTP supports PKCS#11-based HSM systems such as the SafeNet Network HSM (previously Luna SA).

About LinOTP                                        

LSE LinOTP is an adaptive multi-factor/two-factor authentication solution (MFA/2FA) that supports a wide variety of processes, tokens, and token form factors independent of the manufacturer. Thanks to high-module architecture, LSE LinOTP offers wide connectivity for authentication protocols, databases, and interfaces. The transparent open source technology of LSE Experts is client-capable, easily scalable, user-friendly, and can be quickly and easily integrated via the LSE LinOTP Smart Visual Appliance (SVA). By using LSE LinOTP Enterprise solutions, companies can effortlessly implement the highest security requirements in their productive environment.

About LSE Leading Security Experts GmbH

LSE Leading Security Experts GmbH, based in Darmstadt/Weiterstadt, has been making a name for itself since its foundation in 2002 as a leading manufacturer in the area of registration security and user authentication as well as a consulting service provider in the security sector. Within the company, two business areas operate separately from each other: the first specialises in adaptive multi-factor authentication (MFA/2FA) with the company-developed open source technology LSE LinOTP. The second offers penetration tests, vulnerability assessments, and code reviews as a service. Customers of LSE Experts include national and international major clients, financial institutes, authorities, and SMEs. LSE Experts are part of the listed MAX21 company group (MA1).

RSA Conference 2016: LSE introduces “LSE LinOTP Authentication Provider” for OS X® Operating system

Open Source:

Germany-based LSE, Leading Security Experts GmbH, a part of MAX21 Management group of companies (stock exchange symbol: MA1, ISIN: DE000A0D88T9) will be represented at RSA Conference, the world’s leading conference for IT Security in San Francisco, at booth #S815 South Expo as an OATH organization (initiative for Open Authentication) from February 29 to March 4, 2016. During this international event, LSE will present their latest product expansion for the OS X®operating system, “LSE LinOTP Authentication Provider”, which is the first adaptive multi-factor authentication (MFA/2FA) product for Mac platforms.

With its LSE LinOTP Authentication Provider, LSE is expanding the portfolio of existing authentication provider products for Microsoft Windows and Linux operating systems to OS X®. This token solution enables implementation on a cross-platform and cross-technology basis. The new product improves the login security with a One-Time Password solution (OTP). LSE LinOTP backend supports all existing OTP implementations, such as mobile apps (Google Authenticator, FreeOTP) and tokens (i.e. OATH, Yubikey). The configuration is done via an integrated OS X® Environment native configuration dialogue. Thanks to LSE LinOTP, adaptive multi-factor authentication (MFA/2FA) is being expanded to Mac environments.

LSE LinOTP Authentication Provider communicates with LinOTP backend via an encrypted HTTPS connection, which allows for high-availability scenarios with round-robin or load-balancing scenarios.

LSE will be represented as an OATH organization (Initiative for Open Authentication) at the RSA Conference, February 29 – March 4, 2016 at booth #S815 South Expo.

[OS X® is a registered trademark of Apple, Inc.

Microsoft and Windows are registered trademarks of the Microsoft Corporation in the US and other countries]

LSE LinOTP Smart Virtual Appliance (SVA) — Important Technical Information

LSE LinOTP Smart Virtual Appliance (SVA) -- Important Technical Information

Relevant to: Customers using the
LSE LinOTP Smart Virtual Appliance (SVA)
Affected SVA versions: 1.2 and below

If the preceding conditions apply to you, please read this message
very carefully. It contains important lifecycle information that could
impact your support and security situation.

Dear LinOTP customers,
dear partners,

in our technical newsletter of 8 September 2015 we informed you about
the availability of the LSE LinOTP Smart Virtual Appliance (SVA)
2.0. As described there, that version upgraded the technology of the
appliance. Its basic operating system was moved to the newest
generation (an advance of two major versions), and we have accordingly
recommended installing the upgrade. This requires a migration and
cannot be performed by means of the automated update facility, which
is why some (few) customers have not yet made the transition. The
migration of the configuration and token database is, however, fully

If you have not yet performed the migration, we now recommend that you
urgently migrate to the current version of the LinOTP Smart Virtual
Appliance (SVA). Since the Debian team will cease long-term support of
the Debian GNU/Linux version 6.0 ("squeeze"), we will in your own
interest discontinue support for SVA versions 1.2 and below, since the
security and stability of these versions can no longer be guaranteed.

*** Support and the availability of updates for the LSE LinOTP Smart
Virtual Appliance 1.2 ends on February 29th 2016. Therefore, SVA version
1.2 will be in its EOL (end-of-life) state effective March 1st 2016.
Support, patches, and updates will no longer be available, and
safe operation can no longer be guaranteed.

Only those few customers who have not migrated yet will need to do
this now. Users of SVA version 2.0 and later are expressly not

If you want to perform the migration, the appropriate instructions are
available in the online manual
you still use an LSE LinOTP SVA Installer in a version below 20,
please order a current installer from support@lsexperts.de.

Our support team will gladly be available for questions or migration
E-mail: support@lsexperts.de
Hotline: +49 6151 86086115

Thank you for using LSE LinOTP in your environment.


Your LSE LinOTP Team

Open Source: LSE presents Authentication Platform LinOTP 2.8 with FIDO U2F Token

Open Source: LSE presents Authentication Platform LinOTP 2.8 with FIDO U2F Token

Innovations of the OATH-certified version LinOTP 2.8 include features such as FIDO U2F support, registration of FIDO U2F, preparing email and SMS tokens in a self-service portal, temporary email and SMS tokens, multiple challenge response tokens per user with identical token PINs and optimized troubleshooting. “With LinOTP 2.8 we are offering companies, which want to provide their staff with secure logins via multi-factor authentication (MFA/2FA), a technically sophisticated, manufacturer-independent and extremely adaptive solution“, explains Sven Walther, Managing Director and CTO of LSE Leading Security Experts GmbH.

Master Key Token “FIDO U2F“

With full support of the U2F protocol of the FIDO Alliance, various logins can be executed securely using one and the same token. This means it is possible to use the user-friendly U2F tokens of various manufacturers as a second factor for authentication. As a result, new scenarios in the field of “Bring Your Own Token“ will in future become reality. The open standard FIDO U2F is especially interesting for large companies on account of its transparency and independence. LSE Leading Security Experts is a member of the FIDO Alliance. Further information on FIDO U2F available at www.fidoalliance.org.

Additional New Features

To facilitate roll-out of the token, users can now also prepare FIDO U2F, email and SMS tokens themselves in the self-service portal of LinOTP, in addition to token types available up to now. All token types available there can be configured via policies from the LinOTP administrator. If a token is lost, a temporary email or SMS token can also be set up in LinOTP 2.8 instead of a temporary password. Another new feature involves the simultaneous setting up of several challenge response tokens per user with identical token PINs.


LinOTP 2.8 is available now from the repositories of LSE at www.linotp.org as a Debian package. Updated package are available for Ubuntu in LinOTP PPA on Launchpad. LinOTP 2.8 is also available via the Python package index (PyPI). Users of LSE LinOTP Smart Virtual Appliance can obtain LinOTP 2.8 via the integrated update administration.

About LinOTP        

LSE LinOTP is an innovative, flexible OTP platform which can be used in a wide range of scenarios to secure user authentication. On account of its highly modular architecture, LinOTP operates on a manufacture-independent basis and supports various authentication protocols, tokens and databases. The software is multi-client compatible, easily scalable, user-friendly and can be implemented swiftly and simply. By using LinOTP, companies can easily implement the highest security standards.

SQL injection vulnerability in HumHub allows database access

During an internal evaluation of the social networking solution HumHub, the senior security consultant Eric Sesterhenn from LSE Leading Security Experts GmbH discovered an SQL injection vulnerability in versions 0.11.2 and 0.20.0-beta.2. The vulnerability allows read/write access to the underlying HumHub MySQL database. This includes full access to private user data and all conversations.

For further Informations about the LSE Leading Security Experts please visit our website www.foxmole.com