RSA Conference 2016: LSE introduces “LSE LinOTP Authentication Provider” for OS X® Operating system

Open Source:

Germany-based LSE, Leading Security Experts GmbH, a part of MAX21 Management group of companies (stock exchange symbol: MA1, ISIN: DE000A0D88T9) will be represented at RSA Conference, the world’s leading conference for IT Security in San Francisco, at booth #S815 South Expo as an OATH organization (initiative for Open Authentication) from February 29 to March 4, 2016. During this international event, LSE will present their latest product expansion for the OS X®operating system, “LSE LinOTP Authentication Provider”, which is the first adaptive multi-factor authentication (MFA/2FA) product for Mac platforms.

With its LSE LinOTP Authentication Provider, LSE is expanding the portfolio of existing authentication provider products for Microsoft Windows and Linux operating systems to OS X®. This token solution enables implementation on a cross-platform and cross-technology basis. The new product improves the login security with a One-Time Password solution (OTP). LSE LinOTP backend supports all existing OTP implementations, such as mobile apps (Google Authenticator, FreeOTP) and tokens (i.e. OATH, Yubikey). The configuration is done via an integrated OS X® Environment native configuration dialogue. Thanks to LSE LinOTP, adaptive multi-factor authentication (MFA/2FA) is being expanded to Mac environments.

LSE LinOTP Authentication Provider communicates with LinOTP backend via an encrypted HTTPS connection, which allows for high-availability scenarios with round-robin or load-balancing scenarios.

LSE will be represented as an OATH organization (Initiative for Open Authentication) at the RSA Conference, February 29 – March 4, 2016 at booth #S815 South Expo.

[OS X® is a registered trademark of Apple, Inc.

Microsoft and Windows are registered trademarks of the Microsoft Corporation in the US and other countries]

LSE LinOTP Smart Virtual Appliance (SVA) — Important Technical Information

LSE LinOTP Smart Virtual Appliance (SVA) -- Important Technical Information

Relevant to: Customers using the
LSE LinOTP Smart Virtual Appliance (SVA)
Affected SVA versions: 1.2 and below

If the preceding conditions apply to you, please read this message
very carefully. It contains important lifecycle information that could
impact your support and security situation.

Dear LinOTP customers,
dear partners,

in our technical newsletter of 8 September 2015 we informed you about
the availability of the LSE LinOTP Smart Virtual Appliance (SVA)
2.0. As described there, that version upgraded the technology of the
appliance. Its basic operating system was moved to the newest
generation (an advance of two major versions), and we have accordingly
recommended installing the upgrade. This requires a migration and
cannot be performed by means of the automated update facility, which
is why some (few) customers have not yet made the transition. The
migration of the configuration and token database is, however, fully

If you have not yet performed the migration, we now recommend that you
urgently migrate to the current version of the LinOTP Smart Virtual
Appliance (SVA). Since the Debian team will cease long-term support of
the Debian GNU/Linux version 6.0 ("squeeze"), we will in your own
interest discontinue support for SVA versions 1.2 and below, since the
security and stability of these versions can no longer be guaranteed.

*** Support and the availability of updates for the LSE LinOTP Smart
Virtual Appliance 1.2 ends on February 29th 2016. Therefore, SVA version
1.2 will be in its EOL (end-of-life) state effective March 1st 2016.
Support, patches, and updates will no longer be available, and
safe operation can no longer be guaranteed.

Only those few customers who have not migrated yet will need to do
this now. Users of SVA version 2.0 and later are expressly not

If you want to perform the migration, the appropriate instructions are
available in the online manual
you still use an LSE LinOTP SVA Installer in a version below 20,
please order a current installer from

Our support team will gladly be available for questions or migration
Hotline: +49 6151 86086115

Thank you for using LSE LinOTP in your environment.


Your LSE LinOTP Team

Open Source: LSE presents Authentication Platform LinOTP 2.8 with FIDO U2F Token

Open Source: LSE presents Authentication Platform LinOTP 2.8 with FIDO U2F Token

Innovations of the OATH-certified version LinOTP 2.8 include features such as FIDO U2F support, registration of FIDO U2F, preparing email and SMS tokens in a self-service portal, temporary email and SMS tokens, multiple challenge response tokens per user with identical token PINs and optimized troubleshooting. “With LinOTP 2.8 we are offering companies, which want to provide their staff with secure logins via multi-factor authentication (MFA/2FA), a technically sophisticated, manufacturer-independent and extremely adaptive solution“, explains Sven Walther, Managing Director and CTO of LSE Leading Security Experts GmbH.

Master Key Token “FIDO U2F“

With full support of the U2F protocol of the FIDO Alliance, various logins can be executed securely using one and the same token. This means it is possible to use the user-friendly U2F tokens of various manufacturers as a second factor for authentication. As a result, new scenarios in the field of “Bring Your Own Token“ will in future become reality. The open standard FIDO U2F is especially interesting for large companies on account of its transparency and independence. LSE Leading Security Experts is a member of the FIDO Alliance. Further information on FIDO U2F available at

Additional New Features

To facilitate roll-out of the token, users can now also prepare FIDO U2F, email and SMS tokens themselves in the self-service portal of LinOTP, in addition to token types available up to now. All token types available there can be configured via policies from the LinOTP administrator. If a token is lost, a temporary email or SMS token can also be set up in LinOTP 2.8 instead of a temporary password. Another new feature involves the simultaneous setting up of several challenge response tokens per user with identical token PINs.


LinOTP 2.8 is available now from the repositories of LSE at as a Debian package. Updated package are available for Ubuntu in LinOTP PPA on Launchpad. LinOTP 2.8 is also available via the Python package index (PyPI). Users of LSE LinOTP Smart Virtual Appliance can obtain LinOTP 2.8 via the integrated update administration.

About LinOTP        

LSE LinOTP is an innovative, flexible OTP platform which can be used in a wide range of scenarios to secure user authentication. On account of its highly modular architecture, LinOTP operates on a manufacture-independent basis and supports various authentication protocols, tokens and databases. The software is multi-client compatible, easily scalable, user-friendly and can be implemented swiftly and simply. By using LinOTP, companies can easily implement the highest security standards.

SQL injection vulnerability in HumHub allows database access

During an internal evaluation of the social networking solution HumHub, the senior security consultant Eric Sesterhenn from LSE Leading Security Experts GmbH discovered an SQL injection vulnerability in versions 0.11.2 and 0.20.0-beta.2. The vulnerability allows read/write access to the underlying HumHub MySQL database. This includes full access to private user data and all conversations.

For further Informations about the LSE Leading Security Experts please visit our website

LSE LinOTP Hotfix and Security Advisory

Die LSE Leading Security Experts GmbH empfiehlt, nachstehendes Hotfix
für den sicheren Betrieb von LinOTP einzuspielen. Diese Empfehlung gilt,
wenn Sie nicht die automatischen Updatemechanismen zur Aktualisierung
von LinOTP verwenden (siehe unten, unter “LSE LinOTP Smart Virtual Appliance”).
Im Falle der Verwendung der automatischen Updatemechanismen besteht kein
Handlungsbedarf, da LinOTP dann bereits auf dem neusten Stand ist.

Der Hotfix schließt eine kritische Lücke und verhindert damit, dass
diese potenziell ausgenutzt werden kann.

Die Lücke würde einem unauthorisierten Benutzer potenziell das Übermitteln
von ungewollten Zeichenfolgen ermöglichen, welche dann im
LinOTP-Log, d.h. der LinOTP-Log-Datenbank, gespeichert werden.
Zu einem späteren Zeitpunkt könnte dann, unter bestimmten Umständen, diese
Zeichenfolge im Admin-Kontext, also durch einen Administrator bei der Verwaltung
von LinOTP, versehentlich zur Ausführung gebracht werden. Damit könnte möglicherweise
Schadcode eingeschleust werden. Dies wird verursacht durch unzureichende
Aufbereitung des Outputs, bedingt durch ein von LinOTP verwendetes Widget.

Wir haben für unser Produkt LinOTP ein diesbezügliches Advisory veröffentlicht,
welchem bei Interesse die entsprechenden Details entnommen werden können.
Wir danken ausdrücklich Tomas Rzepka für seine diesbezügliche Mithilfe
und den wertvollen Beitrag.

Nach unserem Kenntnisstand wurde diese Lücke bisher nicht aktiv ausgenutzt.

Wir stellen unseren Kunden den Hotfix in verschiedenen Formaten und Versionen
zur Verfügung. Die Pakete enthalten über den Hotfix hinaus keine weiteren Änderungen.
Wir empfehlen, den Hotfix umgehend einzuspielen.

Bitte verwenden Sie die unten aufgeführten Installationswege.

In kommenden Versionen von LinOTP (2.8 und höher) werden weitere Verbesserungen
enthalten sein, um den potenziell möglichen Angriffsweg bereits von vornherein
aus der LinOTP API heraus zu verhindern. Durch Sanitisierung der Antworten innerhalb
unserer JSON-basierten API, wird HTML-Output zusätzlich bereinigt und damit abgesichert.


Installation des Hotfix

Wir bieten für verschiedene LinOTP Versionen Pakete zum Update an. –> –> –> –>

Wir bieten Ihnen eine Installationsanleitung mit Links zum Download.

Sollten Sie eine ältere Version von LinOTP (<2.6) verwenden oder den Hotfix
unabhängig vom Paketmanagement einspielen wollen, stellen wir auch die auszutauschende
Datei mit einer Installationsanleitung zur Verfügung.

Sollten Sie Fragen zur Anwendung des Hotfix haben, helfen wir Ihnen gerne weiter:

Telefon: +49 6151 86086 115

LSE LinOTP Smart Virtual Appliance

Kunden, welche die LinOTP SVA nutzen und das automatische Update verwenden
erhalten das neue Paket im konfigurierten Zeitrahmen automatisch.

Sollten Sie den Hotfix auf Ihrer LSE LinOTP SVA direkt einspielen wollen, können
Sie in der Kommandozeile den Befehl “” verwenden.

Bitte beachten Sie, dass hierdurch auch alle anhängigen Betriebssystemupdates
heruntergeladen und installiert werden, falls Sie das automatische Update bisher
nicht aktiviert haben. Sollten längere Zeit keine Updates mehr durchgeführt worden
sein, so kann dies ein umfangreicher Download- und Installationsprozess sein




LSE Leading Security Experts expands into American market

Open source technology for multifactor authentication is a major growth market in the USA


By virtue of the highly modular architecture of a vendor-independent open- source package for multi-factor authentication (MFA/2FA), LSE is generating increasing interest by major US enterprises and organizations which value transparency and security.


Sven Walter - CEO of LSE

” We register considerable demand from the US market, and note that customers are generally open towards innovative IT technology and the added value of a next-generation solution with high security standards. The USA is a great potential market for our IT security products, says Sven Walther, managing director of LSE. “

Industry expert Malloy takes over market development in the USA

Don Malloy - Business Development Director North America

LSE is pleased to present the noted subject matter expert and chairman of the OATH (Initiative for Open Authentication) organization, Donald E. Malloy, as its Business Development Director North America. OATH is an industry alliance promoting a transition of the authentication market away from proprietary systems towards open architecture. The main focus is on reaching the highest possible authentication security. With more than 20 years of experience in the security and payment sector, Don Malloy will now oversee LSE’s growing US network and serve as a contact person for the German IT company in the USA. LSE already has a frequent presence in the USA, providing innovative technical presentations and exhibiting its products at notable events including the Gartner Catalyst Conference, Red Hat Summit, Microsoft WPC, Black Hat USA, AppSec and the RSA conference

Oliver Michel - CEO MAX21 AG” We are enthusiastic to welcome Don Malloy to our LSE team. With his years of experience and professional expertise he will provide exactly the input we need for our common vision of the future, says Oliver Michel, CEO of MAX21 AG “

Great potential for growth for LinOTP in the USA

LSE is tracking a daily, continuous high download rate and many requests for test installations for the LinOTP open-source project.  Given the current download rate, LSE LinOTP should in five years’ time be among the most successful market leaders in the multi-factor authentication and adaptive-authentication arenas, Don Malloy forecasts as an experienced US market expert and industry pundit.

The advantages of the main product, LSE LinOTP, include its complete availability as an open-source solution. LSE LinOTP is usable without charge and without a time limit by anyone interested. It offers its users transparent security as well as investment protection. The vendor-independent approach allows the use of diverse vendor tokens and methods as well as their simultaneous use in a heterogeneous environment. In addition, the software does not require write access to the network infrastructure. This means that LSE LinOTP can be integrated easily and quickly, without large changes, into existing computing environments. Users of subscription and support contracts profit from many additional advantages such as the LSE LinOTP Smart Virtual Appliance (SVA), which provides a full-featured turnkey solution without additional cost, or the optional LSE Radius Credential Provider for Microsoft Windows.

Further Informations:



With new and interesting features, the product release LSE LinOTP Smart Virtual Appliance 2.0 (SVA) surprised its users

LSE LinOTP is from version 2.7 fully open source and freely available.
It is an innovative and flexible OTP platform for strong user authentication. Thanks to the highly modular architecture LinOTP works independent of manufacturers and supports various authentication protocols, token, and directory services. The software is client-capable, easily scalable, user-friendly and can be quickly and easily implemented. Using LinOTP our customers can enforce the highest safety standards with ease.

New SVS-feature: Debian 8 jessie
The LSE LinOTP Smart Virtual Appliance 2.0 is based on Debian 8 jessie and includes all the improvements and new features of Debian 8. The benefits are new technologies like systemd, current versions of the software (e.g. Apache 2.4) and an improved integration into the infrastructure of recent hypervisors.

New SVS-feature: Restore from the wizard
To allow for an easy migration to a newer system and a faster restore of the LSE LinOTP Smart Virtual Appliance, the user can now directly apply a backup of a previous installation during the first steps of the wizard after installation. Additionally the user can decide for important parameters (like network configuration)
whether they are restored from backup or be adapted for the new machine. This allows for
faster restores and re-installations being much faster and consistent.

New SVS-feature: Change the serial number from the GUI interface
It is now possible to change the serial number of a SVA from the web interface. This allows migrating machines from staging or testing environment to production. You can also speed up the installation and deployment of additional machines from pre-installed virtualization images.

SVA-Security: SSH server uses ECDSA SSH keys by default
Besides other hardening measures implemented for the SVA 2.0 the SSH server now makes use of ECDSA key algorithms by default.

SVA-Enhancement: haveged replaces timer_entropyd
Generating entropy is an important task in virtual machines. The new haveged replaces timer_entropyd for this task in the LSE LinOTP SVA 2.0. It requires considerably less resources for generating entropy and thus puts less load onto the virtualization infrastructure. LSE Smart Virtual Appliance 2.0 can also integrate entropy providers of the virtualization backend.

LSE LinOTP 2.7.2 released

On May 11th we released LinOTP 2.7.2 to the repositories.

LSE LinOTP 2.7.2

LSE Leading Security Experts GmbH is announcing the availability of the new release of LSE LinOTP (2.7.2)

You will find the complete Changelogs and the most important changes in LinOTP 2.7.1 at the end of this newsletter. We hereby want to mention some highlights in 2.7.2.

LinOTP 2.7.2

LinOTP 2.7.2 includes some interesting new features as well as improvements in usability and bug fixes. This is only a selection, please refer to the full Changelog below.

  • New feature: Autoenrollment

    Users without a token assigned, can trigger the creation and assignment of a new SMS or email token by providing correct credentials during login using username and password. This feature can be configured in a new policy (e.g. for certain users only) and relieves the administrator from enrolling and assigning these tokens manually.

    For more information please refer to the Autoenrollment Howto

  • New feature: New Self Service API

    The new Userservice API allows for the implementation of independently hosted self service portals and easier integration of self service tasks in existing customer portals.

  • New feature: mass enrollment of SMS token from the CLI
  • New packages: Ubuntu 14.04 “Trusty Tahr”.
  • Improved input validation for SQL and LDAP resolver, and E-mail and SMS provider definitions.


LinOTP 2.7.2 is available in our repositories on and for customers running LinOTP on the LSE LinOTP Smart Virtual Appliance using the integrated upgrade mechanisms.

We are happy to answer your questions about this release:

LSE Smart Virtual Appliance 1.2 and LinOTP 2.7.1

LSE Leading Security Experts GmbH is proud to announce the general availability (GA) of the following new product releases:

  1. LSE LinOTP Smart Virtual Appliance 1.2
  2. LSE LinOTP 2.7.1.

We are happy to provide LinOTP 2.7 from now also to our customers running LSE LinOTP Smart Virtual Appliances.

You will find the entire changelogs on Here we want to mention some highlights:

LinOTP 2.7.1

LinOTP received many improvements in usability and work flow.
This is only a selection of improvements, please also refer to the full changelog on

  • LinOTP 2.7.1 now fully supports the handling of LSE LinOTP support and subscription licenses.
  • The PIN dialog was integrated with the enrollment dialog and is conditional according to your policies (e.g. random pin).
  • Saving the Token Config is now also possible with only one part changed.
  • The mechanisms to translate LinOTP were improved and extended, especially in the LinOTP Selfservice.
  • The information boxes now stack to prevent an important messages from being overwritten. These messages can be acknowledged together.
  • The overall design was improved and made more consistent.
  • New and improved softtokens like FreeOTP are better integrated and the WebUI and LinOTP Selfservice
  • were improved to better support the features offered by OATH softtokens beyond the Google Authenticator.
  • The native handling of Yubikeys was improved by supporting resync and uppercase OTPs.
  • The Active Directory UserIDResolver was improved to use objectGUID as the default UIDType.
  • Added configuration options to selectively disable parts of LinOTP (manage, selfservice, validate) to improve security or management in complex HA setups.
  • The audit data can now be written to log file before it is rotated.

Highlights for customers upgrading from LinOTP EE

  • Improved Oracle database support,
  • memory usage optimization,
  • improved database handling for the audit log,
  • extended CLI toolset.


We are already working on the next releases and want to give a small peak on what is coming up.

  • Remote Self Service
  • SMS/E-Mail Token Auto-Enrollment

LSE LinOTP Smart Virtual Appliance 1.2

The LSE Smart Virtual Appliance (SVA) received big improvements in the
installation process, usability and the backend.

The Configuration Management was improved to make changes more visible and
to improve the usability. There is now a clear indication of changes needed to be
saved and activated. An info bar appears and the ‘Configuration Management’ Tab
is highlighted until the changes are saved and activated.

The WebUI of the LSE LinOTP SVA is now fully translatable and also available in German.
The language will be chosen based on browser languages.

The installation wizard saw substantial improvements. More settings are preset
from the installed system and more of the input is checked for errors. The
activation step of the wizard was completely rewritten and is now faster and
more robust.

There are many improvements in the WebUI which stem from customer input to
improve the workflow of administration and management of the SVA.

LinOTP 2.7.1 is available in our repositories on and for customers
running LinOTP on the LSE LinOTP Smart Virtual Appliance using the integrated
upgrade mechanisms. All our releases are QA tested. Should you encounter any
issues within the upgrade process, please contact us. (

If you have any question regarding the new releases, we are happy to answer
and support your inquiries. (

LSE LinOTP and LSE LinOTP Smart Virtual Appliance NOT susceptible to the Shell Shock vulnerability.

We would like to inform you about the impact of the current Shell Shock vulnerability on our products.

The vulnerability in GNU Bash can NOT be remotely exploited in our products.

The vulnerability in the widely used GNU Bash named Shell Shock and first described in CVE-2014-6271 can be used to execute arbitrary commands. It can be exploited by insufficiently configured and protected remote interfaces, which significantly increases the criticality.

We analyzed our products for this vulnerability. We came to the conclusion, the vulnerability can NOT be exploited by external or network access to our products. The remote interfaces and services provided by LinOTP and the LSE Smart Virtual Appliance can not be exploited. Our products do not allow to have external data directly executed in the GNU Bash shell.

GNU Bash is used in our LSE LinOTP Smart Virtual Appliance and LSE LinOTP Appliance A150. We already provide, of course, updated versions of GNU Bash, fixing the known vulnerabilities although they can not be exploited.

We recommend customers with native LinOTP installations to update the relevant packages, using the update mechanisms of their base distribution, as a precaution.

Updates to our products are distributed by the known mechanisms, the automatic update or the manual update functions.

You can update the LSE LinOTP Smart Virtual Appliance to the newest version of the appliance software and LinOTP using the instructions below, if you did not activate the automatic update.

(Please keep in mind, all packages installed are going to be updated to the newest version available. If you only want to update single packages, please contact our support.)

1. Use SSH to login on the LSE LinOTP Smart Virtual Appliance (user: root).

2. Execute the command

If the automatic update was not activated before, you will also receive a kernel update. We therefor recommend to reboot the LSE Smart Virtual Appliance after the successful update.

Please contact our support hotline ( 06151 86086 – 115 or, if you do not have activated the automatic update and are using an appliance version equal or smaller than 1.0. We are happy to help you with detailed update instructions in this case. The update is still easy to deploy, but needs a switch out of the context for self administration.

Best Regards

The LinOTP Team