Submitted Successfully!
To reward your contribution, here is a gift for you: A free trial for our video production service.
Thank you for your contribution! You can also upload a video entry or images related to this topic.
Version Summary Created by Modification Content Size Created at Operation
1 handwiki -- 2455 2022-11-21 01:40:40

Video Upload Options

Do you have a full video?


Are you sure to Delete?
If you have any further questions, please contact Encyclopedia Editorial Office.
HandWiki. MultiOTP. Encyclopedia. Available online: (accessed on 22 June 2024).
HandWiki. MultiOTP. Encyclopedia. Available at: Accessed June 22, 2024.
HandWiki. "MultiOTP" Encyclopedia, (accessed June 22, 2024).
HandWiki. (2022, November 21). MultiOTP. In Encyclopedia.
HandWiki. "MultiOTP." Encyclopedia. Web. 21 November, 2022.

multiOTP is an open source PHP class, a command line tool, and a web interface that can be used to provide an operating-system-independent, strong authentication system. multiOTP is OATH-certified since version 4.1.0 and is developed under the LGPL license. Starting with version, multiOTP open source is also available as a virtual appliance - as a standard OVA file, a customized OVA file with open-vm-tools, and also as a Hyper-V downloadable file.Template:Jargon-statement A QR code is generated automatically when printing the user-configuration page. 4.1.0 multiotp

1. Overview

Spyware, viruses and other hacking technologies or bugs (such as Heartbleed) are regularly used to steal passwords. If a strong two-factor authentication system is used, the stolen passwords cannot be stored and later used because each one-time password is valid for only one authentication session, and will fail if tried a second time.

multiOTP is a PHP class library. The class can be used with any PHP application using a PHP version of 5.3.0 or higher. The multiOTP library is provided as an all-in-one self-contained file that requires no other includes. If the strong authentication needs to be done from a hardware device instead of an Internet application, a request will go through a RADIUS server which will call the multiOTP command line tool. The implementation is light enough in order to work on limited computers, such as the Raspberry Pi.

2. History

  • Version 1.0.0 of 7 June 2010 was only a basic command line tool called otpauth, already written PHP. The tool has been renamed to multiotp in version 1.1.4 some days later in order to avoid confusion with another project with the same name.
  • Version 2.0.0 of 19 July 2010 has been completely rewritten as a PHP class, and the command line tool became an implementation of the class. Under Windows operating systems, the command line tool exists as an executable file including in one file the source code and the PHP interpreter. This version received the Innovation Award in August 2010.[1]
  • Version 3.0.0 of 2 September 2010 allowed PSKC unencoded provisioning files import and the internal structure had been improved.
  • Version 3.1.1 of 19 December 2010 allowed data storage in a MySQL backend database.
  • Version 3.2.0 of 6 July 2011 allowed to authenticate with a generic account and by passing the specific user and the password in the password field (useful if the library is used with a Windows authentication which needs a specific user).
  • Version 3.9.2 of 25 October 2011 is the version that was released for the workshop about integrating strong authentication in Internet applications. This workshop was presented during the Application Security Forum - Western Switzerland 2011 in Yverdon-les-Bains (Switzerland).[2] The library has also been used to validate and distribute[3] the seed of the tokens given by Feitian, the sponsor of the event. Each participant had to give an email address, a mobile phone number, a token serial number and the OTP code displayed on the token, than an encrypted email was sent to the participant and the encryption key was sent by SMS.
  • Version 4.0.7 of 30 August 2013 added a lot of enhancements, like a client/server feature with a local cache storage of the definition files of the used tokens, a completely new implementation of the MySQL support (including database tables creation and update), CHAP authentication (in addition to PAP authentication), QRcode generation for direct provisioning in Google Authenticator, fast creation of a user in a single command, ...
  • Version 4.0.9 of 22 September 2013 was an intermediate release that has been used to demonstrate the concept of strong authentication in several forums like a Rump Session during the Application Security Forum - Western Switzerland 2013 in Yverdon-les-Bains (Switzerland)[4] and 45 minutes talk during the Studerus Technology Forum (TEFO) 2013 in Zürich (Switzerland).[5]
  • Version 4.1.0 of 23 December 2013 is OATH certified for HOTP and TOTP, which means full compatibility with certified hardware tokens, including encrypted PSKC provisioning files. This beta version has been used for a 30 minutes talk during the PasswordsCon 2013 in Bergen (Norway).[6] Instructions and all necessary files to build a strong authentication server device on a Raspberry Pi nano-computer are included. Self-registration of unattributed hardware tokens and automatic resync/unlock during authentication have also been added, and a basic web interface is now also available.
  • Version 4.1.1 of 20 January 2014 provided some bug fixes and a better support of Microsoft Authenticator. Resyncing a token (using two consecutive OTP) didn't need the PIN code anymore.
  • Version 4.2.0 of 7 February 2014 supported MS-CHAP and MS-CHAPv2 protocols.
  • Version 4.2.1 of 14 February 2014 added Active Directory / LDAP support in order to create accounts based on users present in a particular group.
  • Version 4.2.2 of 3 March 2014 provided an enhanced web interface in order to import hardware tokens, create accounts, synchronize tokens or unlock accounts. An extended support of TekRADIUS was added in order to send back some particular informations, which is useful for MS-CHAP or MS-CHAPv2 connections.
  • Version 4.2.3 of 13 March 2014 fixed a bug with the send back to TekRADIUS.
  • Version 4.2.4 of 30 March 2014 enhanced MySQL backend support and added mysqli support. Since this version, it is also possible to define in configuration file which fields must be encrypted or not. Some external classes have been updated or replaced, and a lot of new QA tests have been added, both for PHP class and command line versions.
  • Version of 6 April 2014 added NT_KEY support (for FreeRADIUS further handling, like VPN key generation). It is now also possible to import tokens based on a simple CSV file (serial_number;manufacturer;algorithm;seed;digits;interval_or_event). The new option -user-info has also been added, and some bug fixes have been done too.
  • Version of 13 April 2014 consolidated XML handling with one single library for the whole project. It also fixed a possible bug concerning tokens import based on a simple CSV file.
  • Version of 12 June 2014 fixed a bug with the SMS provider aspsms.
  • Version of 4 November 2014 added AD/LDAP password support (instead of static PIN only). It also added Yubico OTP, including keys import using the log file provided by the Yubico Personalization Tool. Synchronization of AD/LDAP users was completely redesigned. This version has been used the 4. November 2014 during a training of the Application Security Forum - Western Switzerland 2014 in Yverdon-les-Bains (Switzerland)[7]
  • Version of 9 December 2014 added a special CLI proxy in order to speed up the Raspberry Pi implementation. Generic LDAP support had been added (like Synology and every Linux based implementation). OTP with integrated serial number is now also better supported (in PAP). Starting with this version and if activated, the prefix PIN is also needed when using a scratch password. MULTIOTP_PATH environment variable is now supported in order to define where is the root of multiotp (if a specific implementation cannot detect correctly the root directory of multiotp).
  • Version of 15 December 2014 provided a better LDAP and AD support, handling more fields during synchronizations. The multiOTP project is now also available on GitHub.
  • Version of 9 June 2015 enhanced some ugly parts (!), added/adapted some default values, allowed the use of minus (-) in the password, enabled by default the autoresync option, handled better the resync during authentication (directly in the class), enabled by default the server cache and cleaned some log information.
  • Version of 10 June 2015 was the version presented during the Dev(Talks): 2015 in Bucharest (Romania).[8] This version contained some web GUI improvements.
  • Version of 24 June 2015 fixed a bug when special characters were used for scratch password generation. It also automatized the support of multi_account when synchronizing with AD/LDAP.
  • Version of 15 July 2015 changed the behavior of the CLI when it's called without parameter, returning now an error code (30) instead of an information (19). Ready to use virtual appliance is now provided in standard OVA format, with open-vm-tools integrated and also in Hyper-V format.
  • Version of 18 July 2015 added QRcode generation for mOTP (Mobile-OTP), and a new method is now implemented to read the data of a single user in an array.
  • Version of 16 October 2016 added better SSL support, ability to select a specific LDAP/AD attribute to synchronize the accounts, better MS-CHAPv2 support, better repeated password handling, YUbicoOTP private ID is now checked, SSL AD/LDAP compatibility with Windows 2012(R2), better AD/LDAP special chars support (RFC4515), new methods to implement asynchronous activities when data is modified in the backend.
  • Version of 4 November 2016 enhanced log messages, updated some external packages and adapted the backup configuration file format in order to be compatible with commercial edition.
  • Version of 14 November 2016 added Dial-In IP address support (including the synchronisation with the Active Directory msRADIUSFramedIPAddress attribute), enhanced token importation process with binary encryption key support.
  • Version of 26 January 2017 enhanced the AD/LDAP synchronisation process for huge AD/LDAP directories by using by default disk caching in the system temporary folder. Several CLI commands can now be done at once. Multiple groups per user is now supported (warning, not all devices support multiple group). The default proposed TOTP/HOTP generator is now FreeOTP (for Android/iOS). Multiple purpose tokens provisioning format PSKCV10 is now supported.
  • Version of 3 February 2017 fixed some bugs and add the GetUserInfo method.
  • Version of 21 February 2017 added the support of base32 and raw binary for SetUserTokenSeed and SetTokenSeed methods. The restoreCOnfiguration method has been updated.
  • Version of 23 February 2017 added some minor enhancements like trimming the group names and handling the Linux folder mode.
  • Version of 16 May 2017 enhanced the rejection policy with out incrementing the error counter for the same replayed token.
  • Version of 29 May 2017 added PostgreSQL support, based on source code provided by Frank van der Aa
  • Version of 2 June 2017 redefined with Linux the location of the config, devices, groups, tokens and users folders to be always located in /etc/multiotp/
  • Version of 6 June 2017 fixed SSL/TLS LDAP failed connection for PHP 7.x
  • Version of 7 July 2017 fixed some minor bugs and added some TLS configuration methods.
  • Version of 8 September 2017 removed the use of the nircmd.exe tool due to false virus detection
  • Version of 29 September 2017 defined the default mOTP generator for Android/iOS to OTP Authenticator
  • Version of 4 November 2017 enhanced the FreeRADIUS 3.x documentation and fixed some minor bugs
  • Version of 19 February 2018 added expired AD/LDAP password support and better unicode handling. Some enhancements for multiOTP Credential Provider (for Windows) has been done too.
  • Version of 5 March 2018 enhanced the multiOTP Credential Provider and it's now possible to use registry entries. It fix also the "receive an OTP by SMS" link for Windows 10
  • Version of 20 March 2018 provided the first Dockerfile to create a full multiOTP open source server docker
  • Version of 16 July 2018 enhanced AD/LDAP support for huge Active Directory, and added Users DN option (which is optional, otherwise Base DN is still used to search users)
  • Version of 21 August 2018 added multiple "Users DN" (separated by semicolumn) for AD/LDAP synchronization (with additional synchronization debug messages) and a new "without2FA" algorithm if some users just want the prefix password without tokens
  • Version of 22 August 2018 added some monitoring fields to have more information about the synchronization process
  • Version of 26 August 2018 fixed the restore process in command line edition and enhanced the client/server process
  • Version of 14 September 2018 fixed the compatibility mode of the Windows radius server component during installation
  • Version of 13 November 2018 enhanced import of PSKC definition files with binary decoding key file and added the support for several SMS provider (Swisscom LA REST, Afilnet, Clickatell2, eCall, Nexmo, NowSMS, SMSEagle and custom SMS)
  • Version of 7 January 2019 added Raspberry Pi 3B+ support
  • Version of 18 January 2019 added Debian 9.x (stretch) support
  • Version of 25 January 2019 fixed a NTP DHCP option problem
  • Version of 30 January 2019 changed the QRcode generation library and provided a new Raspberry Pi binary image ready to used for Raspberry Pi 1B/1B+/2B/3B/3B+
  • Version of 29 March 2019 added Access-Challenge support
  • Version of 20 September 2020 added generic web based SMS provider definition, automatic purge of inexistent AD/LDAP users and support for Debian Buster 10.5, PHP 7.3 and Raspberry PI 4B
  • Version of 12 February 2021 enhanced the Web interface with better accounts state information

3. Features

For Windows, the multiOTP library is provided with a pre-configured RADIUS server (freeradius) which can be installed as a service. A pre-configured web service (based on mongoose) can also be installed as a service and is needed if we want to use the multiOTP library in a client/server configuration. Under Linux, the readme.txt file provided with the library indicates what should be done in order to configure the RADIUS server and the web service. All necessary files and instructions are also provided to make a strong authentication device using a Raspberry Pi nano-computer. Since version, ready to use virtual appliance is provided in standard OVA format, with open-vm-tools integrated and also in Hyper-V format. The client can strongly authenticate on an application or a device using different methods:

  • software tokens (like Google Authenticator)
  • hardware tokens (any OATH/HOTP and OATH/TOTP certified token, like NagraID tokens, and some other non-certified but compatible tokens, like Feitian C200 time based tokens)
  • code sent per SMS (since version 4.0.4)
  • scratch passwords list (since version 4.0.4)
  • YubiKey in proprietary Yubico OTP mode (since version 4.3)
  • without2FA for accounts that doesn't nedd strong authentication (since 5.3)

4. Standardization and Normalization

multiOTP is Initiative For Open Authentication certified for HOTP and TOTP and currently supports the following algorithms and RFCs:

  • HOTP, HMAC-based one-time password algorithm (RFC4226)
  • TOTP, time-based one-time password algorithm (RFC6238)
  • Google Authenticator (OATH/HOTP or OATH/TOTP, base32 seed, QRcode provisioning)
  • SMS tokens (using aspsms, clickatell, intellisms, or a local provider)
  • PSKC, Additional Portable Symmetric Key Container Algorithm Profiles (RFC6030)
  • CHAP, Challenge Handshake Authentication Protocol (RFC1994)
  • MS-CHAP, Microsoft PPP CHAP Extensions (RFC2433)
  • MS-CHAPv2, Microsoft PPP CHAP Extensions, version 2 (RFC2759)
  • Syslog protocol (client; RFC5424)
  • SMTP, Simple Mail Transfer Protocol (RFC2821)
  • SMTP Service Extension for Secure SMTP over TLS (RFC2487)

5. Scope of the Class

The multiOTP class provides strong authentication functionality and can be used in different strong authentication situations:

  • Adding a strong authentication in order to identify a user (to avoid static password)
  • Fixing a hardware token at a specific place, and be sure that somebody was there at a specific time (the token code displayed to the user at the specific time will give information about where it was displayed)
  • Authenticating a user by sending him a code through SMS, which will validate automatically the mobile phone number of the user
  • Creating automatically strong authentication accounts for users present in a specific group of the Active Directory (or LDAP)

Several free projects use the library:

  • Since November 2016, the multiOTP team provides an up-to-date Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016, with options like RDP only and UPN name support, called multiOTP Credential Provider,[9] based on the MultiOneTimePassword Credential Provider[10] created by Last Squirrel IT.
  • ownCloud OTP[11] is a One Time Password app based on the multiOTP class that add strong authentication to the OwnCloud project, an open source Dropbox alternative.
  • 2FA Credential Provider for Windows[12] is another strong authentication Credential Provider for Windows Login using the multiOTP library.
  • The multiOTP class has been used as a learning tool in security demonstrations[13] and a Bachelor thesis[14]


  1. "multiOTP PHP class: Authenticate and manage OTP strong user tokens". PHPclasses/Icontem. Retrieved 30 October 2013. 
  2. "Application Security Forum - Western Switzerland 2011". Application Security Forum - Western Switzerland. Retrieved 30 October 2013. 
  3. "ASF-WS 2011 Feitian token seed request". SysCo systèmes de communication sa. Retrieved 30 October 2013. 
  4. "Application Security Forum - Western Switzerland 2013". Application Security Forum - Western Switzerland. 
  5. "Studerus Technology Forum - TEFO'13". Studerus. 
  6. "Passwords^13". PasswordsCon. 
  7. "Application Security Forum - Western Switzerland 2014". Application Security Forum - Western Switzerland. 9 August 2014. 
  8. "Dev(Talks): 2015". Catalyst ( 
  9. "multiOTP Credential Provider". multiOTP team. Retrieved 1 February 2019. 
  10. "MultiOneTimePassword Credential Provider". Last Squirrel IT. Retrieved 28 July 2015. 
  11. "One Time Password Backend for ownCloud". Team. Retrieved 30 October 2013. 
  12. "2FA Credential Provider for Windows". Fluid Technology Solutions Ltd. Retrieved 30 October 2013. 
  13. "Strong Authentication in Web Application - State of the Art 2011". Compass Security AG. Retrieved 30 October 2013. 
  14. "One-time passwords Bachelor thesis (in Czech)". University of Economics, Prague. Retrieved 30 October 2013. 
Subjects: Others
Contributor MDPI registered users' name will be linked to their SciProfiles pages. To register with us, please refer to :
View Times: 825
Entry Collection: HandWiki
Revision: 1 time (View History)
Update Date: 21 Nov 2022
Video Production Service