How to use LinOTP best and make it even more reliable

There is always room for improvement after the initial setup of LinOTP. In this blog post we will show you how to optimize LinOTP and make it even more reliable!

1) Redundancy – have multiple LinOTP servers!

LinOTP is a crucial component of your authentication infrastructure. It must be resistant to failures and provide responsiveness. Both requirements are easy to achieve by having multiple LinOTP servers set up.

All LinOTP-related information is stored in a database of your choice. If the database technology supports several parallel clients, you should be running multiple LinOTP instances. All authentication operations performed and all configuration changes will then be known to each of the LinOTP servers due to the shared database. Of course the database should be redundant as well to avoid a single point of failure.  Continue reading How to use LinOTP best and make it even more reliable

Paradigmenwechsel im Datenschutz – DSGVO tritt am 25.05.18 in Kraft

Am 25. Mai tritt offiziell die „European General Data Protection Regulation“ (EU-GDPR), zu Deutsch „Europäische Datenschutz-Grundverordnung“ (EU-DSGVO), in Kraft. Damit werden die Anforderungen an private wie öffentliche Organisationen zum Datenschutz deutlich strenger und Verbraucher erhalten erheblich mehr Rechte. Vor allem die Nichteinhaltung wird teuer: Es drohen erhebliche Strafen von bis zu 20 Millionen Euro oder vier Prozent des weltweiten Umsatzes.

Der Wirkungsgrad wird letztlich weltweit zu spüren sein. Denn sobald ein Unternehmen personenbezogene Daten von EU-Bürgern speichert oder verarbeitet, gilt die Verordnung – ganz gleich wo auf dem Globus die Firma beheimatet ist. Continue reading Paradigmenwechsel im Datenschutz – DSGVO tritt am 25.05.18 in Kraft

Die Gesellschaft am Laufen halten – Schutz kritischer Infrastrukturen

Schutz kritischer Infrastrukturen durch Multi-Faktor-Authentifizierung (MFA)

Die moderne Welt ist komplex und vielschichtig, dabei hängt ihr Funktionieren von nur ein paar wenigen Grundpfeilern ab: Elektrizität, sauberes Trinkwasser, Abwasser- und Abfallentsorgung, Telekommunikation, Transportwesen und noch ein paar mehr. Diese Grundpfeiler werden kritische Infrastrukturen (KRITIS) genannt und ohne sie ist die moderne Welt, wie wir sie kennen, nicht möglich. Dementsprechend ist es eine wichtige Aufgabe sowohl für den öffentlichen als auch den privaten Sektor, kritische Infrastrukturen vor Naturkatastrophen und menschengemachten Gefahren zu schützen. Continue reading Die Gesellschaft am Laufen halten – Schutz kritischer Infrastrukturen

The basics of multi-factor authentication: QR Tokens – Highly secure and highly versatile

One of the most secure and reliable ways to secure logins, data and transactions are QR tokens. They provide an easy-to-use and secure solution to multi-factor-authentication (MFA). And this is how authentication via QR tokens works: For a login or transaction, the user is shown a QR code. The user simply scans the QR code with the authenticator app on his smartphone.

All the user needs is mobile connectivity, no additional user input is necessary and no additional data is saved on the authenticated device. This means that QR tokens provided through the KeyIdentity MFA platform and LinOTP solution can also be used to facilitate secure offline authentication for laptops and mobile devices. Based on modern signature algorithms as well as the principles of device separation and transaction data validation, QR tokens allow for the highest level of security.  Continue reading The basics of multi-factor authentication: QR Tokens – Highly secure and highly versatile

The basics of multi-factor authentication: How to pick the right token

Multi-factor authentication (MFA) is based on the idea that a user possesses several unique pieces of evidence which cannot be provided or accessed by a third party. This can be either knowledge like a password, biometric features like a fingerprint or a physical object like a hardware token.

Modern MFA solutions like LinOTP and the KeyIdentity MFA platform support a wide range of tokens to accommodate different use cases, risk levels and cost considerations in B2B and B2C scenarios. Here is a short overview on most common token types: hardware and software tokens, SMS and biometrics as well as QR and push tokens.

Hardware tokens: independent of the device running the application

Hardware tokens are available in various designs ranging from portable USB authenticators to keychain devices to flexible display panels embedded in identification cards. They all have one advantage in common: Since hardware tokens come with their own display and battery, they can operate independently of the device running the application.

A special type of hardware token is the standardized FIDO U2F supervised by the open-authentication industry consortium FIDO Alliance. Based on the Universal Second Factor standard U2F, users can “bring their own token” (BYOT). This means that tokens already owned can be reused at a consistent level of security Continue reading The basics of multi-factor authentication: How to pick the right token

MFA – save time by switching to LinOTP today

Regarding MFA (Multi Factor Authentication) the well-known administrator mantra “Never change a running system” is not accurate anymore, given today’s speed of IT technology development. In fact, regular changes have become a necessity to keep up with competitive markets. This is particularly true, if the new technology is driven by steady development to avoid unnecessary issues in the foreseeable future.

LinOTP brings substantial benefits for MFA-backed environments. It has no token vendor lock-in, it is open source and API-first developed. It is easy to set up and to integrate in the first place – it takes only about half a day in a standard environment. And we make sure that transitions from existing MFA solutions to LinOTP are stable, fast and painless for architects as well as for the performing administrators and the users.

Continue reading MFA – save time by switching to LinOTP today

FIDO U2F: what it is and how you can secure your web applications using LinOTP

This is the first part of a series of blog entries about FIDO U2F and how you can use FIDO U2F and LinOTP to secure your web applications.

Kicking off, we would like to introduce you to FIDO U2F and explain the idea behind it. Following blogs will be about the protocols and how you can use LinOTP to integrate FIDO U2F in your application.

What is FIDO U2F?

FIDO U2F is a technical specification defining a mechanism to reduce the reliance on passwords to authenticate users. It can be used to enrich a password-based authentication with a second factor or to replace the password-based login completely, depending on the use case.

FIDO U2F is developed by the FIDO Alliance (KeyIdentity is a member) and actively extended to new authentication models and markets. The driving idea behind FIDO U2F is to allow the user to bring their own token to their registration process and allow you to securely validate the identity of the user going forward and the user only having to use one token for all websites without compromising security.


Source: FIDO Alliance

USB, NFC and Bluetooth are now defined as transport protocols and a wide range of devices is available to make use of them. Your users can decide on the method and vendor they prefer, based on costs, design or availability. The FIDO U2F implementation on the side of the web application is the same for all tokens implementing the FIDO specifications.

FIDO U2F is based on public key cryptography. When the user registers at your site, a key pair specific to your site is generated in the FIDO U2F token and, depending on the device, is stored on the token. The public key is then registered in your LinOTP backend. When the user authenticates later on, a challenge is presented to the FIDO U2F token and proof of the possession of the private key is presented by signing the challenge. The FIDO protocols are designed to protect the user’s privacy. It is not possible to track a user across services even though the same token is used.

The handling of the device and the communication with the USB, NFS or Bluetooth transportation protocols is provided by the user’s browser and built-in or available as a plug-in. Currently only Google Chrome has built-in support, but support by Microsoft and plug-ins for Firefox are available.

FIDO U2F is still a pretty young standard, but adoption is picking up. After being developed mainly by Google and Yubico, the FIDO Alliance now has an impressive set of members and the range of specifications grew actively and in interesting areas over the last year.

This was just a quick introduction, in the following parts we will look at the registration and authentication process and how an implementation of FIDO U2F can look.