2.2.15 (April 12 2024)
- Added support for Windows Hello TPM-based FIDO2 credentials.
- Fixed YubiKey enrolment with YubiCloud when the same key has been
enrolled previously.
- Fixed ConfirmCount not displayed in the 'bin/report' tool.
- Added support for WebADM bruteforce protection with IP blacklisting.
- Fixed asynchronous advanced signature with QRCode.
- Fixed initial enrolment of Yubikeys in YubiCloud mode.
- Added support for eIDAS qualified signature with Luxembourg eIDs,
Belgium eIDs and Luxtrust smartcards.
2.2.14 (March 19 2024)
- Fixed several incompatibilities with passwordless workflows with
RCDevs Windows Credential Provider and Authentication Provider.
2.2.13 (January 10 2024)
- Fixed Apple PassKeys registration with a FIDO trusted device list is
configured.
- Added support for Novell eDirectory password expiration attribute.
- Password reset links are sent even when LDAP authentication succeeds
when the password is expired.
2.2.12 (December 13 2023)
- Added support for 'PasswordLess' mode in RCDevs OpenID/SAML IdP.
- Added support for signature with smartcards and eIds requiring terminal
authentication or other types of authorization (requre WebADM 2.3.11).
- Fixed FIDO registration from admin portal when a device is disabled.
- Fixed a minor issue with Apple PassKeys.
2.2.11 (November 23 2023)
- Added a setting to enable weak and publically leaked password checks.
> Weak passwords are checked with locally-downloaded blacklists.
> Leaked password use the PwnedPassword online service.
The PwnedPassword protocol is used and passwords are never sent.
> The Password Reset can be optionally triggered when weak passwords
are provided.
This feature requires WebADM 1.3.10 or higher.
- Fixed encrypted PSKC imports broken since WebADM v3.x.
- Fixed FIDO2 'Trusted FIDO Devices' not working with Feitian FIDO2 keys.
2.2.10 (October 26 2023)
- Introduced new workflow for PaDES PDF e-signature (with support for
more PDF formats and compressions).
> Requires WebADM v2.3.9.
- Added an e-signature configuration to enable eIDAS long-term signature
(LTA) which create an additional TSA signature block for timestamping).
2.2.9 (October 19 2023)
- Added offline support for upcoming Windows Authentication Provider.
- Fixed issues when using more than 3 tokens per user.
2.2.8 (October 10 2023)
- Added support for PKI login with machine certificates.
> Requires RadiusBridge v1.3.30 with client certificate EAP-TLS.
> WebADM v2.3.7 is required for issuing machine certificates.
- Added support for MFAVPN with FIDO2 when using Viscosity VPN client.
2.2.7 (August 16 2023)
- Fixed FIDO1 keys detected as Apple PassKeys and failing at login.
- Fixed FIDO2 delay issues with LDAPMFA when Token push request failed.
2.2.6 (July 3 2023)
- Fixed a bug stopping execution when Hardware Only Token is enabled.
- Enhanced Added user agreement / contract signing feature (added QR
code support when push is not received).
2.2.5 (June 13 2023)
- Enhanced the added user agreement functionality.
> Update required with WebADM v2.3.1.
- Added signature annotation with advanced signature.
2.2.4 (May 30 2023)
- Added support for WebADM v2.3 (this version requires WebADM v2.3).
- Removed LogoFile setting. Logo is now a global WebADM configuration and
should be configured via 'org_logo' in 'conf/webadm.conf'.
- Added user agreement / contract signing during login transaction.
> With HTML documents, a user consent is shown for signed confirmation.
> With other documents, the user has to sign the attached document.
> These features are configured via Client Policies and provide eIDAS-
compliant login terms and conditions signature with PaDES (PDF) or
CaDES, during a user authentication workflow.
2.2.3 (April 19 2023)
- Removed YumiSign Extern Sign and Confirm APIs.
- Do not send the push close request when the initial push request failed.
- Added support for encrypted PDF files (OpenOTP Sign API).
- Added support for more PDF specifications (OpenOTP Sign API).
2.2.2 (March 21 2023)
- Added an mobile option to disable secret key resync by default (KeyUpdate)
as this feature breaks offline Windows login.
- Removed ExternSign APIs.
2.2.1 (March 1 2023)
- Fixed 'Server Error' when entering a wrong OTP in a NormalLogin request.
- Fixed 'missing U2FAppId' error with LDAPMFA when no token is registered.
2.2.0 (January 19 2023)
- Added compatibility with WebADM 2.2.
- Enhanced support of Apple Passkeys.
- Added signature support for the new YumiSign WebApp in WebADM.
- Fixed signature support for encrypted PDFs with an empty password.
- Updated the application icons.
- Removed the XML-RPC service API (deprecated).
- Removed deprecated FIDO U2F authentication and enrolment.
> Existing U2F user keys can still authenticate like before.
> Removed the 'mode' parameter from FIDO manager methods.
2.1.8 (December 20 2022)
- Multiple badging fixes and enhancements (requires WebADM v2.1.18).
- Added support for OpenOTP Mobile Token with badging green access light.
> This feature will be supported in the upcoming OpenOTP Token update.
- Added an API method for checking if a user is currently badge in.
- Mobile badging requires a licencing option and is provided for free in
RCDevs Freeware and Trials (please ask RCDevs sales for more information).
> To Activate the badging feature in OpenOTP, enable 'Mobile Badging'
under the OpenOTP application settings. On the user mobile phone, start
the OpenOTP Token app, then click/open your Token instance and click the
'Synchronization'. The 'Badge-In/Badge-Out' button appears now.
2.1.7 (December 5 2022)
- Added a new SOAP method to start a remote user badging with Check mode.
> The action can be triggered from WebaDM Admin in the OpenOTP actions.
- Added a 'MIXED' badging mode to use check-only from office location and
badge-in / badge-Out mode anywhere else.
2.1.6 (November 11 2022)
- Added a user badging feature with RCDevs Mobile Token.
> Features local/remote user badging and time tracking.
> Activate the mobile feature by enabling the 'Badging' option in your
OpenOTP application configuration.
> New client policy option to allow access for badged-in users only.
> Record check-in & check-out times with geolocation and timestamping.
- Added GeoIP information in the confirm and sign SQL records.
- Added compatibility with WebADM v2.1.16.
- Added support for FIDO2 with Apple PassKeys for MacOS and IOS.
2.1.5 (October 3 2022)
- Added per-token options to be forced during enrollment for RCDevs
mobile Token (ex. app protection, geo-matching and spoken OTP).
- Mobile logo can be updated on-the-fly during the next transaction.
- Better support of FIDO2 enrollment with TPM and Android FIDO specs.
- Added support for mobile Token data resync and secret key refresh.
- Remove all pending sessions and related data when un-enrolling a Token.
- Do not fail when translated push message contains non-UTF8 characters.
2.1.4 (September 15 2022)
- Complete rewrite of the PDF parser for PaDES signature preparation.
> Wider and more reliable support of PDF variants.
> Enhanced performances and memory usage.
- Fixed a WSDL typo raising Python warnings.
- Added SQL audit log event types (requires WebADM >= 2.1.15).
- Fixed non-UTF8 mobile signature comments not working.
- Added U2F and MFA only login modes.
- Removed the 'scan' parameter for normalConfirm, confirmQRCode and
externConfirm signing API methods.
> WARNING: The SOAP parameters being ordered, please update your client
code if your use the signing methods.
2.1.3 (July 18 2022)
- Added support for WebADM Voice Biometrics v2 (requires WebADM = > 2.1.13).
- Enhanced voice biometrics reliability and auto-learning algorithm.
- Fixed 'bin/report' not working as expected with WebADM metadata licenses
and SQL data store mode.
- Added a LastReject metadata in the OpenOTP user data.
- Faster and more reliable voice biometrics enrollment in self-services.
- Added support for LDAP attribute value filtering in the RADIUS reply data.
> The RADIUS reply attribute format is 'LDAP:myattr/ch[az]*' where the
optional '/' can be used to add a filter on the LDAP values.
2.1.2 (May 30 2022)
- Added support for mobile signing certificates' revocations.
- Added support for advanced signatures with the External YumiSign requests.
- Minor corrections in the error management for document signing.
- Mobile signature mode is now called 'Standard'.
2.1.1 (April 22 2022)
- Added support for secure confirmations (ie. PSD2 transactions) with both
advanced and qualified signature. This is achieved by using the 'Sign'
APIs without an attached document.
- Fixed wrong titles in SQL reports for secure confirmations and document
signatures.
- The PKILogin method now returns the ActiveDirectory userPrincipalName.
> This is required by RadiusBridge EAP-TLS with newer Windows versions
when using UPNs.
2.1.0 (April 6 2022)
- Added support for advanced signatures with local CA, RCDevs Global CA and
eIDAS (EUTL).
> OpenOTP now supports Mobile Signatures via the Confirm API methods and
a set of advanced signature scopes including eIDAS qualified (QES) with
the Sign API methods. The new setting 'Signature Scope' allows setting
the target scope per-policy or per-request with the following values:
- Local: User certificates are generated by your local WebADM CA.
The signature validity scope is limited to your organization.
- Global: Certificates are provided by the RCDevs Enterprise Global CA.
The signature validity scope is cross-organization and world-wide.
Any organization-level information included in the user identities
is validated and controlled by RCDevs' licensing (in Luxembourg) and
can also not be forged/faked by the users.
- eIDAS: OpenOTP required an external eIDAS device like European eID
Cards for any qualified-level signature.
- Minor Mobile signature fixes and enhancements.
- Added support for latest YumiSign Platform API Urls.
- Fixed openotpOfflineConfirm issues (wrong session type).
2.0.8 (February 21 2022)
- Added offline for PKI login (ie. Windows login with SmartCards).
- Seal method works with both 'Confirm' and 'Sign' license options.
- Added support for more PDF formats.
2.0.7 (January 27 2022)
- Added support for linearized PDF for signing.
- Fixed signature issues with some PDF files.
2.0.6 (January 5 2022)
- Signing with 'Require Trusted Certificate' now relies on the certificate
subject hash allowing eId certificate renewal without denying signatures.
- Added an API option to register eId login certificate in LDAP accounts.
> This will be required for the upcoming OpenOTP CredentialProvider for
Windows, with PKI Login support.
2.0.5 (December 24 2021)
- Advanced signature is filled in the PDF signature anchor if present.
- Added username and domain to the results in openotpList requests.
2.0.4 (December 5 2021)
- Added support for PKI login with external certificates (eIDAS ID cards).
> Certificates from external CAs are verified using CRL or OCSP.
- Added support for eIDAS ASiC (Associated Signature Containers).
- Added support for qualified PSD2 confirmations with European ID cards.
- Fixed issues with signature relayed to external YumiSign accounts.
- Fixed advanced signatures failing with large PDF files.
- Added a setting to allow qualified signatures only with user certificates
registered in the LDAP user accounts.
- Fixed mobile transaction fetch still displaying pending transaction after
signing (until sealing is processed).
- Added support for FIDO2 Web login with U2F-registered FIDO devices.
- Fixed broken FIDO2 login with Apple Safari browser.
- Fixed 'Extern' (YumiSign) signature issues with async sign mode.
- Removed 'Internal' devices from the 'Trusted FIDO Devices' setting.
- Added 'FIPS' devices to the 'Trusted FIDO Devices' setting.
2.0.3 (November 10 2021)
- Added support for latest OpenOTP Mobile Token (ReactNative version).
- Fixed SuccessURL not called upon mobile confirmation/signature success.
- Added support for scanned attachments with advanced signature.
2.0.2 (October 21 2021)
- Fixed document Seal method not working with PaDES mode.
- Added support for LDAP language attributes in the form 'FR-fr'.
- Fixed failure response delay when a qualified signature fails
because of expired or untrusted eIDAS device.
2.0.1 (September 27 2021)
- Added 'Extern' Confirm and Sign methods allowing to forward advanced and
qualified signature requests to YumiSign users (at www.yumisign.com).
> These methods provide document signing with YumiSign non-local users.
> You need a YumiSign Enterprise account with an API Key in order to use
The 'Extern' signing features.
- Added support for XaDES (XML) qualified signature mode.
2.0.0 (September 13 2021)
- Added support for qualified X.509 signatures with RCDevs Mobile Token.
Qualified signing requires the use of external eIDAS-trusted smart cards
or Electronic European ID cards.
Advanced signing works with any mobile phone.
- Mobile Token Signing API version is now v3 (with Qualified Signature).
> This API version requires RCDevs Mobile Token v1.4.16 (under release).
> The CaDES signing support will be added via a secondary app update.
- Fixed wrong request timeout displayed on RCDevs Mobile Token with
confirmation requests.
- Major mobile push protocol enhancements.
- Removed organization name from mobile push titles.
- Better mobile push notification titles.
- Removed the 'untrusted' flag from the PKILogin authentication method.
- Confirm / Sign Cancel success now returns code '1'!
- Return 'PasswordLockout' error code with AD account lockout.
- Prevent retries attempts when no Push Token response matches.
- Major improvements to the OpenOTP session management system.
1.5.10 (April 20 2021)
- Offline login with RCDevs' Windows Credential Provider can be enabled
or disabled per-policy, user or group. Expiration time is configurable.
> Windows Offline login mode is now disabled by default.
Please set the 'Windows Offline Login' setting to '90' to restore the
previous OpenOTP behavior.
1.5.9 (April 13 2021)
- Fixed enrolment QRCode not working in Self Services when scanned by
Google Authenticator (OpenOTP Compatible Mobile Token Mode).
- Added per-domain Mobile logo with service provider licenses.
- Added per-domain email sender with service provider licenses.
- The deprecated Manager method 'Token_QRCode' has been removed.
1.5.8 (April 4 2021)
- Added Client ID chaining with SMSHub.
> When OpenOTP sends a SMS request to SMSHub, the client ID is
forwarded. You can also implement cross services client policies.
- Fixed QRCode confirmation not showing the PDF download button.
- Added support for OTP Prefix registration links sent by OpenOTP when
the OTP Prefix is missing.
- Enhanced the Mobile Token's pending confirmation fetching mechanism.
- Token unregistration flushes pending asynchronous confirmation sessions.
1.5.7 (March 8 2021)
- Prevent re-enrolment of a mobile Token with the same push identifier or
the same secret key.
- Detached enrolment now works only with RCDevs mobile Token.
- Added server-side un-enrolment when mobile Token is removed on the phone.
- Mobile Token display name is now reduced to the user display name.
> RCDevs Mobile Token now prevents multiple enrolments for the same user
and domain on the the same mobile device.
- Added FIDO2 PIN / Biometric user verification policies.
- Major improvements to the Confirmation file / form feed.
- Enhanced and localized Mobile Push request's title.
- Added a method to re-send a confirmation push request or retrieve a QRCode
for a started asynchronous confirmation request.
1.5.6
- Added confirmation cancel with an offline cancel OTP code.
- Added more expiration options for detached mobile Token enrolment.
- Fixed RADIUS Reply attributes not returned to RadiusBridge when using
client policies' friendly names.
- Send SMS / Email OTP messages immediately when being deferred and the
secondary out-of-band method has failed.
1.5.5
- OTP retry now works when OTP password is provided before challenge.
- Improvements to the offline FIDO2 support.
- Support for future FIDO1 (U2F) offline with the Windows CP.
- Fixed YubiKey not being showed in the Admin interface after enrollment.
- Added 2 months auto-expiration for offline FIDO keys.
1.5.4
- Added compatibility with WebADM 2.0.11.
- Added source IP information to RADIUS proxy requests.
- Added support for offline Windows Login with FIDO2 devices.
- Added Token APIs for fetching pending confirmation transactions.
- Added Token APIs for removing server-side token instances.
- Added Email/SMS QRCode sending for detached Token registrations.
- Code optimizations for better challenge-response performances.
- LastOTP and Emergency OTP work when Hardware only is enabled.
- Application Passwords now work even if not token is enrolled.
- Confirm attachments can now be a fetched from a URL, Couchbase, Redis,
a local file (ie. NAS mount) or a even system command.
1.5.3
- Fixed %SERVICE% variable not being filled in the message templates.
1.5.2
- The MobileEndpoint URL is sent in every push request for an automatic
client-side URL update if necessary.
- Added a setting 'Prepare Attached Files' with confirmation requests.
> The signed file and user metadata are sent to a RCDevs cloud service
which creates a final PDF (with metadata, CA seal and timestamping).
- Added the source IP information with local logins with the Windows CP.
- Removed ServiceName from the configuration.
> Service name should be configured via 'org_name' in 'webadm.conf'.
- Added a debugging option to the testing tool.
1.5.1
- Detached Token enrolment auto-switches OTP Type from 'PROXY' to 'TOKEN'.
- OTP Token is auto-unregistered when the mobile token instance is removed.
> This feature will be soon enabled in the RCDevs mobile Token app.
1.5.0
- Added voice biometrics authentication method (requires WebADM v2.0).
- Added compatibility with WebADM v2.0.0.
- Fixed some issues when PIN Prefix is enabled Simple Push login.
- With OTP-only LoginMode, PIN can be pre-entered in the OTP password.
- Fixed issues with Yubikey and OTP-only LoginMode with challenge disabled.
- RADIUS Proxy feature now supports remote RADIUS challenge response mode.
- Added virtual LDAP attributes' support to login and confirm requests.
> The virtual parameter allows passing LDAP attributes in a value-pair
format, overriding the LDAP values.
- Fixed the 'user ID credential mismatch' issue with OTP challenges.
- Added a 'NODELAY' option to prevent anti-bruteforce delay for load-tests.
- Allow one retry with offline confirmation responses (ChallengeRetry).
- HOTP/TOTP window is enlarged at first login for initial auto-resync.
> This helps coping with clock drift when a token has never been used.
- Token States parameters are passed as string in the Manager methods.
- Fixed broken returned RADIUS attributes with dynamic LDAP values.
- HOTP_Verify and TOTP_Verify return the current Token State on success.
- Fixed an issue with bin/report and uer settings.
- Fixed an issue with user blocking when Max Idle Time is enabled.
- Fixed Hardware Token import issues with larger Token clock drifts.
- The bin/report tool shows boolean user settings with 'Yes' and 'No'.
- Added a time stamping to the Confirm database reports (with Entrust).
- Confirm 'data' (description) size is now limited to 1024 octets.
1.4.9
- Added automatic migration to the new OTP Prefix internal format.
- Added compatibility with WebADM v1.7.10.
- Blocking state applies to confirmation requests (confirmations are
refused when the account has been blocked with wrong authentications).
- Added a setting to block an account which has not been successfully
used for a number of days.
- Fixed the 'Call to undefined function openotp_random_password()' with
the 'Emerg_Register' manager method.
- Better error handling with Push login and Push confirmations.
- Fixed offline confirmation not working in synchronous request mode.
1.4.8
- Prevent Push notification to be sent when the PIN prefix is wrong.
- Wrong PIN prefix honors the protect password feature (fake challenge).
- Added auto PIN registration with PROXY OTP Type when PIN is requested.
- Fixed broken Inventory_Register Manager method (missing DN parameter).
- Fixed TOTP Token offset wrongly set with Inventory_Register method.
- Fixed an issue when sending a blank RADIUS Proxy request in the first
login step to get a TanCard challenge.
- Added Luxembourgish translations to the language template file.
- Fixed a Token registration issue with TOTP time offset (Token drift).
- Fixed RADIUS Proxy failures producing ServerError when no radius
attribute is returned by the remote RADIUS server.
- Added Manager APIs to disable and enable FIDO devices.
- Added a method for PKI login on WebSites (openotpPKILogin).
> Simply pass the user/client certificate to the method.
- YubiCloud validation service's CA certificates were updated.
- YubiCloud is now working only over SSL (removed YubiCloud SSL setting).
1.4.7
- Fixed some issues when PIN Prefix is enabled Simple Push login.
- With OTP-only LoginMode, PIN can be pre-entered in the OTP password.
- Fixed issues with Yubikey and OTP-only LoginMode with challenge disabled.
- RADIUS Proxy feature now supports remote RADIUS challenge response mode.
- Added virtual LDAP attributes' support to login and confirm requests.
> The virtual parameter allows passing LDAP attributes in a value-pair
format, overriding the LDAP values.
- Fixed the 'user ID credential mismatch' issue with OTP challenges.
- Added a 'NODELAY' option to prevent anti-bruteforce delay for load-tests.
- Allow one retry with offline confirmation responses (ChallengeRetry).
- HOTP/TOTP window is enlarged at first login for initial auto-resync.
> This helps coping with clock drift when a token has never been used.
- Token States parameters are passed as string in the Manager methods.
- Fixed broken returned RADIUS attributes with dynamic LDAP values.
- HOTP_Verify and TOTP_Verify return the current Token State on success.
- Added support for Tokens with arbitrary SHA1 key lengths.
- Removed support for HOTP/TOTP Tokens with MD5 algorithm.
- Fixed a parameter issue with the JSON method openotpConfirmQRCode.
1.4.6
- This update is required for WebADM version >= 1.7.6.
- Close remaining session slot when overriding a confirmation request.
- Close mobile Token approve page when confirming with the fallback OTP.
- Added support for branded Mobile Token with several branding options.
- Optionally prevent Google Authenticator and RCDevs Token to be used
alongside branded tokens.
- Fixed REST/JSON Confirmation API not working in asynchronous mode.
- Added address and localtime in cancelled confirmation responses.
- Push Login and synchronous Confirmation use the new WebADM inter-process
message queuing. This enhances the performances by limiting the number of
session manager calls while waiting for mobile responses.
- Confirmation forms must be provided base64-encoded.
- SuccessURL is called with user confirmation cancel.
- Compatibility with third-party Mobile Tokens (ex.Google Authenticator)
is now disabled by default (ie. setting 'Compatibility Mode').
- Added a detached registration mode to the Token registration admin page.
> Detach mode can optionally require an enrolment PIN code.
- Multiple code optimizations related to Push Login and session timeouts.
- Re-scoped some application settings.
> If you configured blocking policies or geo-fencing on a user or group,
please configure it in the application or client policy.
1.4.5
- Fixed new Push Id update with latest RCDevs Mobile Token for Android.
- Fixed issues for Android push IDs.
> The RCDevs' team apologies for any inconvenience and issue due to
the move to the Firebase Push notification protocol for Android.
- Added HTML form support for user questions in confirmation requests.
- Added a configuration for confirmation options. Options are:
> Offline: Allow the mobile to issue a fallback confirmation OTP.
> Address: GPS address at the signing location.
> Localtime: Date and time at the signing location.
> Signature: Handwritten signature image.
> Initials: Handwritten initials image.
> Comment: Prompt for a comment on confirmation reject.
- Added the possibility to disable a FIDO device.
- The Manager method 'user_methods' takes care of disabled/expired Tokens.
- Added a Manager method to get the list of registered OTP Tokens.
- Added a Manager method to get the list of registered FIDO Devices.
- New confirmation with the same data overrides any previous confirm session.
1.4.4
- New confirmation workflows and API (100% compliant with DPS2 regulations).
- Allow multiple confirmation transactions at a time for a single user.
- Added support for asynchronous QRCode confirmations with a testing tool.
- Added support for synchronous QRCode confirmations.
- Added an optional document attachment to the confirmation APIs.
> The file can be downloaded and reviewed during the confirmation request.
> The latest OpenOTP Mobile Token is required in order to use the feature.
- Added a timeout parameter to the confirmation methods.
> Default confirmation timeout is the MobileTimeout plus an extra 30 secs.
- Confirmation OTPs are now 8 characters instead of 8 digits (more secure).
- Confirmation responses are encrypted with AES-128 and per-session vectors.
- WebADM records are created for confirmations with all the transaction data.
- Added confirmation metadata (address, handwritten signature, local time).
- Fixed problems with FIDO U2F/FIDO2 enrolment via the Manager API.
- Added the possibility to configure several RADIUS hosts for RADIUS proxy.
- Added optional 'SuccessURL' to inform a remote system of a login success.
- Fixed LDAPU2F LoginMode returning a combined OTP & U2F challenge.
- Added for WebADM cluster-level caching API.
- Multiple internal code optimizations for both login and confirmation.
- All mobile Tokens are notified for success/failure with SimplePush login.
1.4.3
- Added support for WebADM v1.7 (it does not work with previous versions).
- Fixed deferred email/SMS OTP not sent in fallback mode.
- Added optional max usage count for emergency OTPs.
- Fail immediately is SMS/mail send fails and no fallback method is configured.
- Fixed 'user under transaction' issue when mail/sSMSis set as fallback method.
- Fixed SMS/mail fallback delay issues with windows login plugin.
- All pushed data like location or client Id are now encrypted.
> Requires the latest RCDevs Mobile Token version for IOS and Android.
- OTP PIN Prefix is now stored in binary format.
- Fixed OTP challenge type when PIN Prefix is wrong.
- Internal U2F and FIDO2 optimizations.
1.4.2
- Allow devices with Internal TPM like Apple MacBook to be used a FIDO2 devices.
> The integrated FIDO device is the TouchID reader combined with the TPM chip.
- If not set to U2F, FIDO2 is now the default FIDO operating mode.
- Removed trust domain support (feature dropped in the upcoming WebADM 1.7.0).
1.4.1-4
- Fixed 'user under transaction' issue with Push Token with Mail or SMS fallback.
- Fixed token closing too early with OTP retries in display mode.
- Fixed broken FIDO2 registration with Yubikey5.
- Added offline confirmation retries.
- Added confirmation support with Trust domains.
- Added framework functions for Emergency OTP registration via SelfDesk.
- Manager methods 'Prefix_Register' and 'Emerg_Register' can optionally generate
the new PIN/OTP and now return the PIN/OTP value instead of 'true' on success.
- Added a FIDO2 compatibility mode which allows legacy U2F devices like Yubikey4
to be registered and used in FIDO2 mode.
1.4.1
- Added a challenge retry option.
- Simplified the WSDL protocol description (required for retries).
> OpenOTP Challenge responses are now identical to login responses.
> Multiple challenges can be returned for the retries.
1.4.0
- OpenOTP now supports FIDO2 devices from any vendor.
> The admin pages and self-services, and RCDevs OpenID/SAML identity provider
have been updated for FIDO2 support.
> FIDO2 will be added to ADFS later on.
- Removed MOTP Tokens' support.
- Fixed intelligent PUSH suspend not working with SMS and MAIL fallbacks.
- Enhancement to the U2F (FIDO1) support.
1.3.12
- Fixed fallback SMS/Email not being sent with 'cancel deferred SMS' message.
- Added support for offline confirmation workflow with OpenOTP Mobile Token.
- Removed SMSHub custom URL, username and password settings (not needed anymore).
- Added password reset links when user password expired or must be changed.
- Removed SMS SenderNumber and email SenderAddress settings.
> The SMS sender number is now configurable in SMShub only.
> The email sender address is configured via the 'org_from' in webadm.conf.
- Fixed Trusted U2F Devices feature not working on Chrome version >= 66.
- RADIUS Proxy requests can optionally send another LDAP user ID attribute.
- RADIUS Proxy requests forward OTP Pin Prefix and concatenated passwords.
1.3.11
- Added an offline confirmation method (with QRCode scan on RCDevs Mobile Token).
- Added asynchronous confirmations (to be used for upcoming SpanKey features).
- Fixed Password Reset with OpenOTP authentication failing when AD account is locked.
- Added support for AD DisplayName attribute.
- Confirmations and authentications can be executed currently for the same user.
- Authentication and confirmation sessions' optimizations.
1.3.10
- Fixed one issue with Windows CP when configured not to check LDAP password on AD.
- Do not allow logins for user accounts locked in ActiveDirectory (Lockout policy).
- Added Auth Cancel message template returned when users deny a SimpleLogin request.
> You need to re-apply your OpenOTP configuration in WebADM after upgrade.
- Added support for RCDevs LDProxy with LDAP MountPoints.
- Added a geo-fence protection feature preventing access from distant locations
within a configurable time frame.
1.3.9
- Fixed Authorization URL and RADIUS Reply URL timeout issues.
- Added support for RCDevs' OpenOTP LDAP Bridge version 1.0.8.
- Fixed SimplePush login with SimpleLogin method when challenge mode is not enabled.
- The success notification URL has been removed and replaced by 'Authorization URL'.
> The authorization URL is called before the user authentication to validate the
user access information. It can also be used to implement complex access control
which WebADM client policies cannot handle.
> The authorization endpoint may return ACCEPT or REJECT with an optional parameter:
'ACCEPT:LoginMode=LDAPOTP' can be used to pass user setting like LoginMode.
'REJECT:error message' can be used to log the reject reason cause in OpenOTP.
- Added geolocated country code (LOCATION) parameter to RADIUS Reply URL.
- Fixed error 'Invalid NowaitState' introduced with OpenOTP v1.3.8.
- Added %SENDER% variable to Authorization URL and RADIUS Reply URL containing the
requestor host IP address (ie. Host IP in WebADM SQL logs).
- Added concatenated password support when SimplePush Login is used.
1.3.8
- Added a Confirmation API allowing applications to trigger mobile approvals.
> The confirmation payload is send encrypted to the mobile phones.
> The confirmation response includes the payload hash (sign what you see).
- Added a client policy option to allow only Hardware tokens And U2F devices.
- SimplePush approval wait time is automatically disabled when the mobile Token
does not receive the push notification or another device is used.
> SimplePush is automatically re-enabled when the push notification is received.
- Added support for Simple Push login when OTP challenge is disabled.
- Added compatibility with newer CURL version WebADM v1.6.1.
- Added support for the upcoming RCDevs VPN server with U2F support.
- Added support for LDAP reply attributes of type IP address encoded as long int.
- Manager API allows the registration of RCDevs mobile Token in online mode.
- Fixed private YubiCloud not working when only one URL is configured.
- Added support for Apple & Android Push Id renewals (requires WebADM v1.6.2).
1.3.7
- Added support for WebADM v1.6 (this version does not run on previous WebADM).
- Added vendor filtering for U2F devices' registration in WebApps.
> Yubico and Feitian vendors are currently supported.
- Major performance enhancements to the internal binary data handing.
- Added a protection preventing expired application passwords from blocking user.
- Not expiring application password are not support anymore.
- Added support for Simple Push login with PIN Prefix feature enabled.
> Requires the latest version of RCDevs mobile OTP Token.
- Added support for Cisco ASA servers not supporting 30 seconds' timeouts.
> You need RADIUS Bridge version 1.3.2 to enable this feature!
- Added temporary access password feature allowing users to login with a
time-limited passkey, overriding the default LDAP+OTP policy.
> This feature is usable only via the Manager method OpenOTP.TmpKey_Register.
- Mobile Push approve/deny wait time wan be configured per client policy.
> This setting has been moved to the Authentication Policy config section.
- Added SelfReg registration when no OTP Token / U2F Device is registered.
1.3.6
- Added support for new options in Credential Provider version 1.1.6.
- Added support for upcoming Credential Provider offline login mode.
- Fixed broken Secure Mail (s/mime encryption) feature.
1.3.5
- Added Mobile Signature Service (MSS) support with Swisscom MobileID services.
Use 'MobileID' as SMS Delivery mode in order to use the MSS login method.
> MobileID SMS delivery mode cannot be used with SMS as fallback OTP method
- Removed SMSC configurations (SMSHub is now required for SMS features).
- Fixed mobile push notification sent even when Token has expired.
- Mobile Endpoint & U2F AppID URLs are auto-generated with WAProxy configurations.
- Added user Id & domain metadata in the RCDevs Software Token registration process
> Reserved for upcoming Windows integrations products.
- Simple Push login cannot be used with Token defined as fallback OTP method.
- Check certificate hostname for private YubiCloud with HTTPS.
- Added support for HTML challenge messages for Mail OTP.
> The challenge message template must start with the '<HTML>' tag.
- Several internal workflow optimizations.
- New RCDevs Token logo image.
1.3.4
- Added support for RadiusBridge credential cache feature (see RB documentation).
- LDAP credential cache for RadiusBridge handles Reply Attributes' URL correctly.
- Fixed token expiration which should not be available for hardware tokens.
- OTP List goes to the next OTP only when all factors are successful.
- Updated YubiCloud trusted SSL certificate.
- Fallback SMS and Mail are deferred when used as fallback method.
> Messages are canceled when the primary method is used in the next 10 seconds.
> SMSCount & MailCount metadata are dropped because incompatible with this feature.
- OpenOTP sends the received NAS-Identifier / Client ID to the RADIUS proxy server.
- Added localized messages API compliance with WebADM v1.5.10.
1.3.3
- The Token Mobile Endpoint and U2F AppId URLs are now available under the WebADM
HTTPS URL and not under the Web service URL anymore. The new U2F AppID and Token
URLs are now https://yourserver/ws/appid/ and https://yourserver/ws/openotp/.
> This change is required for public endpoints to use WebADM custom certificates.
> WAProxy URLs are not impacted but you need WAProxy 1.1.1 with this version.
- Added context expiration and lifetime parameters for the contextual authentication.
- Added PIN Prefix support for Simple-Push login (requires newer OpenOTP Token).
- Added an option to configure which user attribute should be sent to a remote RADIUS
server with PROXY OTP Type.
- Fixed an issue with U2F FacetID behind a WAProxy server (some facets are missing).
- Added options to Manager user report methods for returning AD password expiration.
1.3.2
- Updated the U2F challenge API to be more suitable with FIDO-Javascript v1.1.
> The format of the U2F challenges returned by OpenOTP has changed.
If you developed your own Web login forms with U2F and OpenOTP, please look at
the example in doc/examples/loginform.zip in oder to update your existing code.
- Added error IDs to the error responses (required for our latest windows credential
provider with the password reset feature).
- Fixed unhandled SOAP timeout issues in webapp exported methods.
- Added support for Simple-Push with the RCDevs ADFS plugin.
- Added support for WebADM service protocol API version checking.
1.3.1
- Added geolocation data to push requests (required for fishing protection on Android).
- Extended the Simple-Push wait time to 20 seconds (instead of 15 seconds).
- Replaced the settings 'Send Blocking Email' and 'Send Blocking SMS' by the common
setting 'Send Blocking Notification'.
> The 'Send Blocking Notification' can be set to mail, SMS or mail+SMS.
- Added a setting 'Send Expire Notification' for expired LDAP passwords and OTP Tokens.
- Added an email message template for expired LDAP passwords.
- Disabled account blocking on login failure when the OTP Token expired.
- OpenOTP validates the mobile clock during the enrolment of the OpenOTP Software Token.
1.3.0
- Added support for RCDevs Mobile Authenticator (mobile Token with Push Login).
> OpenOTP now support push notification-based login with the new Push OTP methods.
> Standard OTP login with HOTP and TOTP authentication supports push notifications.
- Uses the new WAPI framework from WebADM 1.5.0.
- Minor bug fixes for Manager methods.
- Removed the 'Update Inventory' button in the Token registration admin page.
- SQL audit log displays which Token instance was used in an authentication success.
- Fixed client-filtered RADIUS reply attributes not working with client aliases.
- Renamed the service 'MFA Authentication Server'.
- Allow Emergency OTP longer then the configured OTP length.
- Added a 'NOLOCK' option to disable transaction locks (for server status polling).
- Prevent administrators from registering an OTP Token or U2F Device on a slot which
is already registered. Administrators need to un-register first.
- OTP prefix must be numeric characters.
- SMS Sender ID can contain any printable characters.
- Prefetched SMS/Email message uses Service Name instead the Client Name.
- Fixed RADIUS reply data filter not working for client policies with friendly names.
- Fixed software token expiration not working in challenged mode.
- Fixed wrong log IDs (in log files) after receiving the U2F challenge response.
- Added the %GROUPS% variable to the Auth Success URL setting.
- Added a configuration for fetching RADIUS reply attributes from a web service URL.
> Multiple URLs can be used for high-availability (requests are sent in parallel).
> The response must contain comma-separated dictionary-enabled RADIUS value-pairs.
> It is possible to return binary attributes in HEX with a '0x' prefix.
1.2.3
- Added a RADIUS attributes' editor (replaced the ReplyData setting).
> You need OpenOTP RADIUS Bridge v1.2.4 with this version of OpenOTP if you are
using RADIUS attributes in ReplyData.
- Added product categorization for WebADM v1.4.5.
- Remove resynchronization for YubiKeys which is not necessary.
- Added an option allowing self-services to request MFA authentication only if when
an MFA method is usable (used by Self-Service Desk).
- Added an option to disable transaction locks for stress tests.
- Added OpenOTP service stress test tools in docs/stresstest/.
1.2.2
- Admins can optionally set friendly names or short descriptions for U2F devices.
- U2F uses embedded javascript and does not require the Google Chrome extension.
- Fixed challenge session broken with no domain ID (default domain).
- Fixed Manager method Domain Report ignoring domain parameter.
- Added new variables to the challenge message template (USERNAME, USERID, USERDN).
- Added an option to return the U2F reg data to the Windows Credential Provider.
- Added support for private YubiCloud validation services.
- Added support for WebADM user_level configurations in webadm.conf.
- fixed SMSHub requests issues with multiple mobile numbers.
- Enhanced the Token registration pages.
- Fixed PSKC export failing with error "Only super admins can export PSKC".
- Added automatic addition of YubiCloud Tokens in the Inventory during registration.
> YubiCloud Tokens assigned to a user cannot be registered to another user anymore.
1.2.1
- This version is designed for WebADM v1.4 and is not compatible with v1.3.
- Added support for WebADM 1.4 admin roles for admin pages and manager methods.
- Changed the SOAP encoding to RPC-literal for better compatibility with languages.
> The API remains fully compatible the previous RPC-encoded format.
- Added support for the %USERID% and %USERDN% variables in user message templates.
- OTP replay protection is enforced even if LDAP or PIN factors have failed.
- Added support for contextual authentication with trusted sources and device IDs.
See the 'Trusted Sources & Devices' setting in OpenOTP configurations for details.
- Added support for national mobile phone numbers with Clickatell SMSC.
- Allow U2F devices without an embedded X.509 certificate.
- More efficient SMS & Mail prefetching mode.
- Added automatic re-synchronization of time-based Tokens for TOTP, mOTP and OCRA.
> Token time offset is auto-adjusted based on statistics to deal with time drift.
- Fixed Token resynchronization and PIN change not available with more than 3 Tokens.
- Added support for Plivo online SMS service (http://www.plivo.com).
- Fixed international mobile number formatting issues.
- Added support for OATH tokens supporting MD5 algorithm (ex. RedHat FreeOTP).
- U2F method is automatically disabled when challenge mode is not supported.
- The Auth Success URL can optionally return some reply data in JSON format.
> If present these additional data are merged with the user/group reply data.
- It is not possible to register an inventoried Token which is already registered on
another user. The Token must be unlinked first from the Inventory.
- When password concatenation was used, the openotpLogin response returns the length
the the LDAP password in the 'concat' SOAP parameter.
1.2.0
- Added full support of the U2F specification from FIDO Alliance (see documentation).
> OpenOTP supports OTP and FIDO U2F authentication to be used concurrently.
> MFA Login Mode is added for a combined support of OTP and U2F challenges.
> The OpenOTP API has been changed and remains backward-compatible with v1.1.
Please review the OpenOTP WSDL specification (openotp.wsdl) file for changes.
- Re-organized graphical configuration sections.
- Fixed openotp_token_qrcode Manager method issues with key sizes other than 160bits.
- Removed the settings to enable/disable status requests. Status is always enabled.
- Many code changes and optimizations.
1.1.5
- Added support for Software Token expiration time and auto re-enrolment.
> A new error message has been added to inform users when their Token has expired.
> A default/user setting allows to configure the Software Token expiration time.
> Manager method are added in order to set/check Token expiration.
- Added support for several Tokens enrolment with Google Authenticator.
- Added a new setting to 'Enable User Login' to enable/disable OpenOTP for some users.
> This setting replaces the 'DISABLED' Login Mode choice which is now removed.
> Be sure to reconfigure all the users having their LoginMode set to DISABLED!
- An already registered token cannot be registered twice on the same account.
- In Manager method emerg_register, the 'time' is renamed to 'expires'.
- Added support for Application Passwords like in Google 2FA model:
When enabled, users can alternatively login with per-client application passwords.
These are long and expirable random passwords to be generated in the Self-Services.
1.1.4
- Added support for hardware encryption with Yubico YubiHSM.
HSM hardware cryptography is currently used for:
> Token seed generation.
> SMS / Mail passwords and OCRA Challenges.
> Token seed storage in the user metadata (AES-256-CBC mode).
- Statistic user metadata are stored unencrypted.
- OpenOTP assumes password de-concatenation with simpleLogin requests when Challenged
OTP support is disabled.
> You do not need anymore to configure password modes in RadiusBridge. Simply keep
the default mode '0' and configure a Client Policy with Challenge Support disabled.
- Added the possibility to combine LastOTP with the last used client IP.
- Added support for password de-contenation at the OTP server level when the client
is configured not to support challenged OTP (with setting 'OTP Challenge Support').
- Added the possibility to call a Web service URL to inform of a user login success.
- Added actions for Admin and WebApps to de-activate and re-activate user Tokens.
1.1.3
- ReplyData from groups are combined with the user values.
- Fixed issues with the report tool in (in bin/report).
- Added Manager methods to get user statistics (like with the bin/report tool).
> Method 'OpenOTP.User_Report' gets statistics for a user DN.
> Method 'OpenOTP.Domain_Report' gets statistics for all users within a domain.
The Manager method 'User_Report' can report the user blocking status.
- Added user notification via email and/or SMS when a user account gets blocked.
- Fixed some issues with the PSKC import tool.
- Added Yubikey registration with WebADM Inventory (simply by pressing the Yubikey).
- Added support for YubiCloud OTP validation service from Yubico.
- The Manager method Yubikey_Register includes a mandatory parameter for public ID.
- Added 'bin/yubi2inv' script to convert Yubikey CSV files to WebADM Token Inventory.
- All the Web APIs support the 'lang' HTTP-GET parameter to force a language code.
> Forcing a language overrides the user language defined in a language attribute.
- Fixed user blocking emails (Send Blocking Email) not working correctly with challenges.
- Changed the list of allowed values for Max Tries setting (from 0 to 10).
- Added a Manager method 'User_Methods' allowing to get the user OTP methods (OTPType).
which are usable for a user.
1.1.2
- New application architecture designed for WebADM v1.2.6.
- Fixed Manager function Token_QRCode where HOTP and TOTP QR URIs are inverted.
- Fixed challenge started instead of a failure on SMSC failure with OTP-only mode.
- Added detection of expired Active Directory passwords.
- Added support for client's friendly name to be displayed in challenge messages.
- Adapted some admin page layouts for WebADM v1.2.5.
- Reduced the challenge session ID length for better compatibility with RADIUS clients.
- Added support for SafeNet eToken PASS OATH.
- Fixed a bug with the registration of inventoried OCRA Tokens.
- JSON API can be used in restful mode.
- Fixed a wrong error message when a user session has been overridden and when the
Challenge Session Lock option is disabled.
- Added some help to the Manager interface methods (accessible under WebADM Infos menu).
- Fixed the Manager method Prefix_Register not working.
- OpenOTP honors ActiveDirectory account disabled flag.
- Performance optimizations.
1.1.1
- Added simple Hardware Token registration with serial numbers. This registration mode
is highly recommended when dealing with large amounts of Hardware Tokens.
It uses the WebADM Inventory. Token must also be imported to the Inventory.
- Added the ability to use PIN+OTP in the LDAPOTP and OTP Login Modes.
> Allows OTP passwords to be prefixed with a per-user alpha-numeric static PIN code.
> 'OTP Prefix Required' setting must be enabled and users must register an OTP Prefix.
- More checks on values for new PIN Code, OTP Prefix and Emergency OTP.
- The bin/pskc tool now exports token data to Inventory CSV format.
- The graphical PSKC import tool can exports token data to Inventory CSV format.
- OATH-OCRA Tokens support alphanumeric PIN codes.
- Fixed PSKC exports.
- Added the Block_Start Manager function to force blocking a user.
- Fixed a minor issue with LASTOTP expiration time.
- Fixed bin/report tool with multi-Tokens.
1.1.0
- Any combination of OTPType and OTPFallback is now possible.
- Added support for second and third Tokens.
> OpenOTP is now able to handle up to three registered Tokens per user.
- Enhancements to the user blocking system.
- Enhancements to the OCRA algorithm.
- Enhancements to the Password List display.
- Added an option not to display the Password List' OTP ID in the challenge message.
- OTP length 4 digits is removed.
- Added the OpenOTPSimpleLogin API method for a simpler integration with client systems
which are able to send only one password at a time.
- Removed the Auto Password Swapping setting. This feature becomes obsolete with the
openotpSimpleLogin API method.
- Better file-based logging.
- Major code rewrites and optimizations.
1.0.17
- Added support for location-based policies in WebADM 1.2.3.
- Added 'source' field to the API (please update your client implementations).
- Removed commonly misinterpreted user locking log event.
- Challenge Session Lock setting can be defined per user.
- Improved login failure timer system.
- Fixed a wrong SOAP parameter name in the SMSHub WDSL file.
> Please update SMSHub to 1.0.9 with this version of OpenOTP.
- Fixed a bug with OCRA (RFC-6287) Tokens.
- Fixed PSKC Token import issues with some vendor's PSKC files.
- Added XML-RPC API.
- Multiple code enhancements.
1.0.16
- Added support for newer WebADM 1.2.1 licensing.
- Added a setting to enable user blocking alerts.
- SMSOTP and MailOTP supports users with multiple mobile numbers and email addresses.
- Added a setting to customize the mail OTP subject.
- Enhanced the user account unblocking action in WebADM Admin portal.
- Added a Manager method for checking user account blocking status.
- Fixed a wrong session expiration display in the soapd.log file.
- Handle SMS concatenation for messages larger than 140 characters.
- Fixed a problem in HOTP manual resynchronization with wrong OTP sequence entered.
- Fixed a problem with JSON APIs and SMS OTP.
- Fixed a problem with the PSKC token export.
- New requests are allowed when a session is already started after a delay of 5 seconds.
> Existing challenge session is dropped and the user does not have to wait for the
challenge timeout to expire.
> It is possible to activate the session duplicate protection for increased security
with the new Challenge Session Lock setting.
- Added a 'Service Name' setting to customize the Google Authenticator display name.
- Added PDF OTP list export.
1.0.15
- Updated for WebADM 1.2.
- Added JSON-RPC 2.0 API.
- Added support for WebADM 1.2.x Manager interface.
1.0.14
- Fixed soapd.log displaying user password with SMSHub errors.
- Uses the WebADM-1.1.3 email framework for MailOTP.
- Added authentication failures count in user data (RejectCount).
- Added JSON Web service API.
- Fixed a WSDL namespace issue when imported in VisualStudio .NET.
- Major code rewrites and optimizations.
- Major fallback OTP enhancements.
> TOKEN, LIST and LASTOTP fallback methods are now allowed with any OTPType.
> The fallback is automatically disabled if the user data are missing.
- SMS and Mail OTP support prefetched delivery mode (next OTP is send after login).
- LASTOTP have an expiration time.
1.0.13
- Fixed OCRA problems with numeric challenges.
- Enhancements compatible with WebADM 1.1.2.
- Added an user action to re-activate blocked accounts.
- Added password swapping feature for simpler RADIUS and PAM support.
- Added emergency OTP password feature. Administrators can set an emergency OTP for users
which cannot use their usual OTP Type and require access. Emergency passwords replace
usual OTP for a configurable time period. After the period the OTP Type is restored.
- Added an action to unregister a user Token (in the Register Token page).
- Enhanced SMS/Mail OTP fallback system.
> With TOKEN and LIST fallback modes, OpenOTP accepts both SMS/Mail and fallback OTPs.
Users can now use their TOKEN or LIST fallback OTP when they do not receive the SMS,
even when the SMSC acknowledged SMS delivery.
- LastOTP user data stores OTP hash instead of OTP value.
- Fixed PSKC import with OCRA Tokens.
1.0.12
- Added RADIUS proxy functionality to ease migration to OpenOTP from another solution.
- Fixed a problem with the PSKC import tool (bin/pskc).
- Internal code enhancements and better error handling.
- Added SHA256 and SHA512 key registration support for TOTP/OCRA Tokens.
- Rewritten PSKC import tools to comply with IETF RFC-6030.
- Added PSKC export to backup user Token information.
- Added Client policies support for Trust domains.
- Added support for WebADM Client objects with a default domain setting.
> The openotpChallenge SOAP request method contains a new 'client' optional attribute.
The client must be specified if the request contains no domain field and if a WebADM
Client exists and has a Default Domain setting.
> The WebApps: SelfDesk, SelfReg and OpenID must be updated to the latest version.
- Updated documentations.
1.0.11
- Added OTP List support.
- Fixed minor text export problems for PSKC and OTP List.
- Re-arranged setting list for better visibility.
- Added -FALLBACK in challenge message in fallback mode.
1.0.10
- Added OATH OCRA (Challenge Response) Token support.
- Corrected 32bit OATH-HOTP counter limitation.
- Added SHA256 and SHA512 algorithms for HOTP/TOTP.
- Added possibility to register HOTP with hex counter.
- Added TOTP resync utility.
> OpenOTP computes the Token time offset and keeps the offset for OTP calculations.
- Corrected a Fallback problem.
- Corrected a BlockTime problem.
1.0.9
- Modified openotpChallenge API (see release notes for details).
- Enhanced internal session handling.
- Added Google Authenticator support with QRCode registration.
- OpenOTP Token register enhancements.
- Added QR Barcode-based Token key registration.
- Fixed a Token change PIN bug.
- Fixed Trust forwarding with remote domain name different than local domain name.
- Added a web service setting to enable per-request user settings.
- Added Data field in OpenOTP SOAP responses.
Reply Data can be set on a LDAP user or group. It is used in
Radius Bridge to send filtering data to a RADIUS client.
- Client ID is now forwarded to SMSHub.
1.0.8
- SMSC URL setting is renamed to SMS Address like in SMSHub.
- Added more request parameter checks and error messages via SOAP faults.
- Added Block Time settings to block users for an amount of time after n login failures.
- Added a setting to activate the LDAP password protection by sending fake challenges in
LDAPOTP Login Mode. The protection sends back SOAP challenges when LDAP password
failed, but does not send the SMS or email OTP. When activated the hacker cannot know
if he entered the good LDAP password or not.
- Request Blocking Timer setting is renamed Failure Blocking Timer.
- Minor corrections.
1.0.7
- Time-based Tokens algorithm enhancements.
- Replaced SMSFallback setting by OTPFallback setting.
Fallback is available for SMS and Mail and supports Token, SMS, Mail and LastOTP.
- Added mail alerts for SMSC, mail, Trust or internal errors.
- Added AccountLocked message.
- Added more user setting consistency checks.
- User data values are hidden in SOAP log.
- More Token settings are adjustable per user.
- Added SOAP fault handling.
- Added PSKC key import system.
1.0.6
This OpenOTP version requires a license file.
Without license, it is limited to 15 users.
Requires WebADM >= 1.0.5.
- WebADM Trust Domains support (requires license).
- Added SMS fallback with MailOTP.
- Fixed SOAP faults handling problems.
- Fixed a problem with OATH-TOTP.
- Added SMS fallback to MailOTP.
- Added email alerts.
1.0.5
- Time-based Tokens replay protection enhancements.
- Added Yubico YubiKey support.
- Fixed a bug in the mOTP registration export functions.
1.0.4
- HTTP proxy support for SMS gateways.
- User sensitive information are hidden in logs.
- Fixed a JavaScript problem in the Token Register Admin page.
1.0.3
- Support for Mobile-OTP Software Tokens (motp.sourceforge.net).
- Support for WebADM SMSHub.
- Uses the new WebADM 1.0.3 user locking.
- Added a SMSC SOAP URL setting.
- Added Token PIN change page for MOTP Tokens.
1.0.2
- OpenOTP includes user edition pages to be used in the WebADM admin portal.
The current admin pages include:
- Token registration
- Token Resynchronization
- User login test
- SMSType is now a public setting (application level or per-user level).
- ValidFrom and ValidTo settings are now LDAP-only settings.
1.0.1
- Added account blocking feature.
You need to edit OpenOTP Configurations and set the AccountBlockedMessage.
- Fixed a bug in Secure Mail (s/mime) sending functions.
- Better user certificate handling.
1.0.0
Initial OpenOTP release.
- Added support for Windows Hello TPM-based FIDO2 credentials.
- Fixed YubiKey enrolment with YubiCloud when the same key has been
enrolled previously.
- Fixed ConfirmCount not displayed in the 'bin/report' tool.
- Added support for WebADM bruteforce protection with IP blacklisting.
- Fixed asynchronous advanced signature with QRCode.
- Fixed initial enrolment of Yubikeys in YubiCloud mode.
- Added support for eIDAS qualified signature with Luxembourg eIDs,
Belgium eIDs and Luxtrust smartcards.
2.2.14 (March 19 2024)
- Fixed several incompatibilities with passwordless workflows with
RCDevs Windows Credential Provider and Authentication Provider.
2.2.13 (January 10 2024)
- Fixed Apple PassKeys registration with a FIDO trusted device list is
configured.
- Added support for Novell eDirectory password expiration attribute.
- Password reset links are sent even when LDAP authentication succeeds
when the password is expired.
2.2.12 (December 13 2023)
- Added support for 'PasswordLess' mode in RCDevs OpenID/SAML IdP.
- Added support for signature with smartcards and eIds requiring terminal
authentication or other types of authorization (requre WebADM 2.3.11).
- Fixed FIDO registration from admin portal when a device is disabled.
- Fixed a minor issue with Apple PassKeys.
2.2.11 (November 23 2023)
- Added a setting to enable weak and publically leaked password checks.
> Weak passwords are checked with locally-downloaded blacklists.
> Leaked password use the PwnedPassword online service.
The PwnedPassword protocol is used and passwords are never sent.
> The Password Reset can be optionally triggered when weak passwords
are provided.
This feature requires WebADM 1.3.10 or higher.
- Fixed encrypted PSKC imports broken since WebADM v3.x.
- Fixed FIDO2 'Trusted FIDO Devices' not working with Feitian FIDO2 keys.
2.2.10 (October 26 2023)
- Introduced new workflow for PaDES PDF e-signature (with support for
more PDF formats and compressions).
> Requires WebADM v2.3.9.
- Added an e-signature configuration to enable eIDAS long-term signature
(LTA) which create an additional TSA signature block for timestamping).
2.2.9 (October 19 2023)
- Added offline support for upcoming Windows Authentication Provider.
- Fixed issues when using more than 3 tokens per user.
2.2.8 (October 10 2023)
- Added support for PKI login with machine certificates.
> Requires RadiusBridge v1.3.30 with client certificate EAP-TLS.
> WebADM v2.3.7 is required for issuing machine certificates.
- Added support for MFAVPN with FIDO2 when using Viscosity VPN client.
2.2.7 (August 16 2023)
- Fixed FIDO1 keys detected as Apple PassKeys and failing at login.
- Fixed FIDO2 delay issues with LDAPMFA when Token push request failed.
2.2.6 (July 3 2023)
- Fixed a bug stopping execution when Hardware Only Token is enabled.
- Enhanced Added user agreement / contract signing feature (added QR
code support when push is not received).
2.2.5 (June 13 2023)
- Enhanced the added user agreement functionality.
> Update required with WebADM v2.3.1.
- Added signature annotation with advanced signature.
2.2.4 (May 30 2023)
- Added support for WebADM v2.3 (this version requires WebADM v2.3).
- Removed LogoFile setting. Logo is now a global WebADM configuration and
should be configured via 'org_logo' in 'conf/webadm.conf'.
- Added user agreement / contract signing during login transaction.
> With HTML documents, a user consent is shown for signed confirmation.
> With other documents, the user has to sign the attached document.
> These features are configured via Client Policies and provide eIDAS-
compliant login terms and conditions signature with PaDES (PDF) or
CaDES, during a user authentication workflow.
2.2.3 (April 19 2023)
- Removed YumiSign Extern Sign and Confirm APIs.
- Do not send the push close request when the initial push request failed.
- Added support for encrypted PDF files (OpenOTP Sign API).
- Added support for more PDF specifications (OpenOTP Sign API).
2.2.2 (March 21 2023)
- Added an mobile option to disable secret key resync by default (KeyUpdate)
as this feature breaks offline Windows login.
- Removed ExternSign APIs.
2.2.1 (March 1 2023)
- Fixed 'Server Error' when entering a wrong OTP in a NormalLogin request.
- Fixed 'missing U2FAppId' error with LDAPMFA when no token is registered.
2.2.0 (January 19 2023)
- Added compatibility with WebADM 2.2.
- Enhanced support of Apple Passkeys.
- Added signature support for the new YumiSign WebApp in WebADM.
- Fixed signature support for encrypted PDFs with an empty password.
- Updated the application icons.
- Removed the XML-RPC service API (deprecated).
- Removed deprecated FIDO U2F authentication and enrolment.
> Existing U2F user keys can still authenticate like before.
> Removed the 'mode' parameter from FIDO manager methods.
2.1.8 (December 20 2022)
- Multiple badging fixes and enhancements (requires WebADM v2.1.18).
- Added support for OpenOTP Mobile Token with badging green access light.
> This feature will be supported in the upcoming OpenOTP Token update.
- Added an API method for checking if a user is currently badge in.
- Mobile badging requires a licencing option and is provided for free in
RCDevs Freeware and Trials (please ask RCDevs sales for more information).
> To Activate the badging feature in OpenOTP, enable 'Mobile Badging'
under the OpenOTP application settings. On the user mobile phone, start
the OpenOTP Token app, then click/open your Token instance and click the
'Synchronization'. The 'Badge-In/Badge-Out' button appears now.
2.1.7 (December 5 2022)
- Added a new SOAP method to start a remote user badging with Check mode.
> The action can be triggered from WebaDM Admin in the OpenOTP actions.
- Added a 'MIXED' badging mode to use check-only from office location and
badge-in / badge-Out mode anywhere else.
2.1.6 (November 11 2022)
- Added a user badging feature with RCDevs Mobile Token.
> Features local/remote user badging and time tracking.
> Activate the mobile feature by enabling the 'Badging' option in your
OpenOTP application configuration.
> New client policy option to allow access for badged-in users only.
> Record check-in & check-out times with geolocation and timestamping.
- Added GeoIP information in the confirm and sign SQL records.
- Added compatibility with WebADM v2.1.16.
- Added support for FIDO2 with Apple PassKeys for MacOS and IOS.
2.1.5 (October 3 2022)
- Added per-token options to be forced during enrollment for RCDevs
mobile Token (ex. app protection, geo-matching and spoken OTP).
- Mobile logo can be updated on-the-fly during the next transaction.
- Better support of FIDO2 enrollment with TPM and Android FIDO specs.
- Added support for mobile Token data resync and secret key refresh.
- Remove all pending sessions and related data when un-enrolling a Token.
- Do not fail when translated push message contains non-UTF8 characters.
2.1.4 (September 15 2022)
- Complete rewrite of the PDF parser for PaDES signature preparation.
> Wider and more reliable support of PDF variants.
> Enhanced performances and memory usage.
- Fixed a WSDL typo raising Python warnings.
- Added SQL audit log event types (requires WebADM >= 2.1.15).
- Fixed non-UTF8 mobile signature comments not working.
- Added U2F and MFA only login modes.
- Removed the 'scan' parameter for normalConfirm, confirmQRCode and
externConfirm signing API methods.
> WARNING: The SOAP parameters being ordered, please update your client
code if your use the signing methods.
2.1.3 (July 18 2022)
- Added support for WebADM Voice Biometrics v2 (requires WebADM = > 2.1.13).
- Enhanced voice biometrics reliability and auto-learning algorithm.
- Fixed 'bin/report' not working as expected with WebADM metadata licenses
and SQL data store mode.
- Added a LastReject metadata in the OpenOTP user data.
- Faster and more reliable voice biometrics enrollment in self-services.
- Added support for LDAP attribute value filtering in the RADIUS reply data.
> The RADIUS reply attribute format is 'LDAP:myattr/ch[az]*' where the
optional '/' can be used to add a filter on the LDAP values.
2.1.2 (May 30 2022)
- Added support for mobile signing certificates' revocations.
- Added support for advanced signatures with the External YumiSign requests.
- Minor corrections in the error management for document signing.
- Mobile signature mode is now called 'Standard'.
2.1.1 (April 22 2022)
- Added support for secure confirmations (ie. PSD2 transactions) with both
advanced and qualified signature. This is achieved by using the 'Sign'
APIs without an attached document.
- Fixed wrong titles in SQL reports for secure confirmations and document
signatures.
- The PKILogin method now returns the ActiveDirectory userPrincipalName.
> This is required by RadiusBridge EAP-TLS with newer Windows versions
when using UPNs.
2.1.0 (April 6 2022)
- Added support for advanced signatures with local CA, RCDevs Global CA and
eIDAS (EUTL).
> OpenOTP now supports Mobile Signatures via the Confirm API methods and
a set of advanced signature scopes including eIDAS qualified (QES) with
the Sign API methods. The new setting 'Signature Scope' allows setting
the target scope per-policy or per-request with the following values:
- Local: User certificates are generated by your local WebADM CA.
The signature validity scope is limited to your organization.
- Global: Certificates are provided by the RCDevs Enterprise Global CA.
The signature validity scope is cross-organization and world-wide.
Any organization-level information included in the user identities
is validated and controlled by RCDevs' licensing (in Luxembourg) and
can also not be forged/faked by the users.
- eIDAS: OpenOTP required an external eIDAS device like European eID
Cards for any qualified-level signature.
- Minor Mobile signature fixes and enhancements.
- Added support for latest YumiSign Platform API Urls.
- Fixed openotpOfflineConfirm issues (wrong session type).
2.0.8 (February 21 2022)
- Added offline for PKI login (ie. Windows login with SmartCards).
- Seal method works with both 'Confirm' and 'Sign' license options.
- Added support for more PDF formats.
2.0.7 (January 27 2022)
- Added support for linearized PDF for signing.
- Fixed signature issues with some PDF files.
2.0.6 (January 5 2022)
- Signing with 'Require Trusted Certificate' now relies on the certificate
subject hash allowing eId certificate renewal without denying signatures.
- Added an API option to register eId login certificate in LDAP accounts.
> This will be required for the upcoming OpenOTP CredentialProvider for
Windows, with PKI Login support.
2.0.5 (December 24 2021)
- Advanced signature is filled in the PDF signature anchor if present.
- Added username and domain to the results in openotpList requests.
2.0.4 (December 5 2021)
- Added support for PKI login with external certificates (eIDAS ID cards).
> Certificates from external CAs are verified using CRL or OCSP.
- Added support for eIDAS ASiC (Associated Signature Containers).
- Added support for qualified PSD2 confirmations with European ID cards.
- Fixed issues with signature relayed to external YumiSign accounts.
- Fixed advanced signatures failing with large PDF files.
- Added a setting to allow qualified signatures only with user certificates
registered in the LDAP user accounts.
- Fixed mobile transaction fetch still displaying pending transaction after
signing (until sealing is processed).
- Added support for FIDO2 Web login with U2F-registered FIDO devices.
- Fixed broken FIDO2 login with Apple Safari browser.
- Fixed 'Extern' (YumiSign) signature issues with async sign mode.
- Removed 'Internal' devices from the 'Trusted FIDO Devices' setting.
- Added 'FIPS' devices to the 'Trusted FIDO Devices' setting.
2.0.3 (November 10 2021)
- Added support for latest OpenOTP Mobile Token (ReactNative version).
- Fixed SuccessURL not called upon mobile confirmation/signature success.
- Added support for scanned attachments with advanced signature.
2.0.2 (October 21 2021)
- Fixed document Seal method not working with PaDES mode.
- Added support for LDAP language attributes in the form 'FR-fr'.
- Fixed failure response delay when a qualified signature fails
because of expired or untrusted eIDAS device.
2.0.1 (September 27 2021)
- Added 'Extern' Confirm and Sign methods allowing to forward advanced and
qualified signature requests to YumiSign users (at www.yumisign.com).
> These methods provide document signing with YumiSign non-local users.
> You need a YumiSign Enterprise account with an API Key in order to use
The 'Extern' signing features.
- Added support for XaDES (XML) qualified signature mode.
2.0.0 (September 13 2021)
- Added support for qualified X.509 signatures with RCDevs Mobile Token.
Qualified signing requires the use of external eIDAS-trusted smart cards
or Electronic European ID cards.
Advanced signing works with any mobile phone.
- Mobile Token Signing API version is now v3 (with Qualified Signature).
> This API version requires RCDevs Mobile Token v1.4.16 (under release).
> The CaDES signing support will be added via a secondary app update.
- Fixed wrong request timeout displayed on RCDevs Mobile Token with
confirmation requests.
- Major mobile push protocol enhancements.
- Removed organization name from mobile push titles.
- Better mobile push notification titles.
- Removed the 'untrusted' flag from the PKILogin authentication method.
- Confirm / Sign Cancel success now returns code '1'!
- Return 'PasswordLockout' error code with AD account lockout.
- Prevent retries attempts when no Push Token response matches.
- Major improvements to the OpenOTP session management system.
1.5.10 (April 20 2021)
- Offline login with RCDevs' Windows Credential Provider can be enabled
or disabled per-policy, user or group. Expiration time is configurable.
> Windows Offline login mode is now disabled by default.
Please set the 'Windows Offline Login' setting to '90' to restore the
previous OpenOTP behavior.
1.5.9 (April 13 2021)
- Fixed enrolment QRCode not working in Self Services when scanned by
Google Authenticator (OpenOTP Compatible Mobile Token Mode).
- Added per-domain Mobile logo with service provider licenses.
- Added per-domain email sender with service provider licenses.
- The deprecated Manager method 'Token_QRCode' has been removed.
1.5.8 (April 4 2021)
- Added Client ID chaining with SMSHub.
> When OpenOTP sends a SMS request to SMSHub, the client ID is
forwarded. You can also implement cross services client policies.
- Fixed QRCode confirmation not showing the PDF download button.
- Added support for OTP Prefix registration links sent by OpenOTP when
the OTP Prefix is missing.
- Enhanced the Mobile Token's pending confirmation fetching mechanism.
- Token unregistration flushes pending asynchronous confirmation sessions.
1.5.7 (March 8 2021)
- Prevent re-enrolment of a mobile Token with the same push identifier or
the same secret key.
- Detached enrolment now works only with RCDevs mobile Token.
- Added server-side un-enrolment when mobile Token is removed on the phone.
- Mobile Token display name is now reduced to the user display name.
> RCDevs Mobile Token now prevents multiple enrolments for the same user
and domain on the the same mobile device.
- Added FIDO2 PIN / Biometric user verification policies.
- Major improvements to the Confirmation file / form feed.
- Enhanced and localized Mobile Push request's title.
- Added a method to re-send a confirmation push request or retrieve a QRCode
for a started asynchronous confirmation request.
1.5.6
- Added confirmation cancel with an offline cancel OTP code.
- Added more expiration options for detached mobile Token enrolment.
- Fixed RADIUS Reply attributes not returned to RadiusBridge when using
client policies' friendly names.
- Send SMS / Email OTP messages immediately when being deferred and the
secondary out-of-band method has failed.
1.5.5
- OTP retry now works when OTP password is provided before challenge.
- Improvements to the offline FIDO2 support.
- Support for future FIDO1 (U2F) offline with the Windows CP.
- Fixed YubiKey not being showed in the Admin interface after enrollment.
- Added 2 months auto-expiration for offline FIDO keys.
1.5.4
- Added compatibility with WebADM 2.0.11.
- Added source IP information to RADIUS proxy requests.
- Added support for offline Windows Login with FIDO2 devices.
- Added Token APIs for fetching pending confirmation transactions.
- Added Token APIs for removing server-side token instances.
- Added Email/SMS QRCode sending for detached Token registrations.
- Code optimizations for better challenge-response performances.
- LastOTP and Emergency OTP work when Hardware only is enabled.
- Application Passwords now work even if not token is enrolled.
- Confirm attachments can now be a fetched from a URL, Couchbase, Redis,
a local file (ie. NAS mount) or a even system command.
1.5.3
- Fixed %SERVICE% variable not being filled in the message templates.
1.5.2
- The MobileEndpoint URL is sent in every push request for an automatic
client-side URL update if necessary.
- Added a setting 'Prepare Attached Files' with confirmation requests.
> The signed file and user metadata are sent to a RCDevs cloud service
which creates a final PDF (with metadata, CA seal and timestamping).
- Added the source IP information with local logins with the Windows CP.
- Removed ServiceName from the configuration.
> Service name should be configured via 'org_name' in 'webadm.conf'.
- Added a debugging option to the testing tool.
1.5.1
- Detached Token enrolment auto-switches OTP Type from 'PROXY' to 'TOKEN'.
- OTP Token is auto-unregistered when the mobile token instance is removed.
> This feature will be soon enabled in the RCDevs mobile Token app.
1.5.0
- Added voice biometrics authentication method (requires WebADM v2.0).
- Added compatibility with WebADM v2.0.0.
- Fixed some issues when PIN Prefix is enabled Simple Push login.
- With OTP-only LoginMode, PIN can be pre-entered in the OTP password.
- Fixed issues with Yubikey and OTP-only LoginMode with challenge disabled.
- RADIUS Proxy feature now supports remote RADIUS challenge response mode.
- Added virtual LDAP attributes' support to login and confirm requests.
> The virtual parameter allows passing LDAP attributes in a value-pair
format, overriding the LDAP values.
- Fixed the 'user ID credential mismatch' issue with OTP challenges.
- Added a 'NODELAY' option to prevent anti-bruteforce delay for load-tests.
- Allow one retry with offline confirmation responses (ChallengeRetry).
- HOTP/TOTP window is enlarged at first login for initial auto-resync.
> This helps coping with clock drift when a token has never been used.
- Token States parameters are passed as string in the Manager methods.
- Fixed broken returned RADIUS attributes with dynamic LDAP values.
- HOTP_Verify and TOTP_Verify return the current Token State on success.
- Fixed an issue with bin/report and uer settings.
- Fixed an issue with user blocking when Max Idle Time is enabled.
- Fixed Hardware Token import issues with larger Token clock drifts.
- The bin/report tool shows boolean user settings with 'Yes' and 'No'.
- Added a time stamping to the Confirm database reports (with Entrust).
- Confirm 'data' (description) size is now limited to 1024 octets.
1.4.9
- Added automatic migration to the new OTP Prefix internal format.
- Added compatibility with WebADM v1.7.10.
- Blocking state applies to confirmation requests (confirmations are
refused when the account has been blocked with wrong authentications).
- Added a setting to block an account which has not been successfully
used for a number of days.
- Fixed the 'Call to undefined function openotp_random_password()' with
the 'Emerg_Register' manager method.
- Better error handling with Push login and Push confirmations.
- Fixed offline confirmation not working in synchronous request mode.
1.4.8
- Prevent Push notification to be sent when the PIN prefix is wrong.
- Wrong PIN prefix honors the protect password feature (fake challenge).
- Added auto PIN registration with PROXY OTP Type when PIN is requested.
- Fixed broken Inventory_Register Manager method (missing DN parameter).
- Fixed TOTP Token offset wrongly set with Inventory_Register method.
- Fixed an issue when sending a blank RADIUS Proxy request in the first
login step to get a TanCard challenge.
- Added Luxembourgish translations to the language template file.
- Fixed a Token registration issue with TOTP time offset (Token drift).
- Fixed RADIUS Proxy failures producing ServerError when no radius
attribute is returned by the remote RADIUS server.
- Added Manager APIs to disable and enable FIDO devices.
- Added a method for PKI login on WebSites (openotpPKILogin).
> Simply pass the user/client certificate to the method.
- YubiCloud validation service's CA certificates were updated.
- YubiCloud is now working only over SSL (removed YubiCloud SSL setting).
1.4.7
- Fixed some issues when PIN Prefix is enabled Simple Push login.
- With OTP-only LoginMode, PIN can be pre-entered in the OTP password.
- Fixed issues with Yubikey and OTP-only LoginMode with challenge disabled.
- RADIUS Proxy feature now supports remote RADIUS challenge response mode.
- Added virtual LDAP attributes' support to login and confirm requests.
> The virtual parameter allows passing LDAP attributes in a value-pair
format, overriding the LDAP values.
- Fixed the 'user ID credential mismatch' issue with OTP challenges.
- Added a 'NODELAY' option to prevent anti-bruteforce delay for load-tests.
- Allow one retry with offline confirmation responses (ChallengeRetry).
- HOTP/TOTP window is enlarged at first login for initial auto-resync.
> This helps coping with clock drift when a token has never been used.
- Token States parameters are passed as string in the Manager methods.
- Fixed broken returned RADIUS attributes with dynamic LDAP values.
- HOTP_Verify and TOTP_Verify return the current Token State on success.
- Added support for Tokens with arbitrary SHA1 key lengths.
- Removed support for HOTP/TOTP Tokens with MD5 algorithm.
- Fixed a parameter issue with the JSON method openotpConfirmQRCode.
1.4.6
- This update is required for WebADM version >= 1.7.6.
- Close remaining session slot when overriding a confirmation request.
- Close mobile Token approve page when confirming with the fallback OTP.
- Added support for branded Mobile Token with several branding options.
- Optionally prevent Google Authenticator and RCDevs Token to be used
alongside branded tokens.
- Fixed REST/JSON Confirmation API not working in asynchronous mode.
- Added address and localtime in cancelled confirmation responses.
- Push Login and synchronous Confirmation use the new WebADM inter-process
message queuing. This enhances the performances by limiting the number of
session manager calls while waiting for mobile responses.
- Confirmation forms must be provided base64-encoded.
- SuccessURL is called with user confirmation cancel.
- Compatibility with third-party Mobile Tokens (ex.Google Authenticator)
is now disabled by default (ie. setting 'Compatibility Mode').
- Added a detached registration mode to the Token registration admin page.
> Detach mode can optionally require an enrolment PIN code.
- Multiple code optimizations related to Push Login and session timeouts.
- Re-scoped some application settings.
> If you configured blocking policies or geo-fencing on a user or group,
please configure it in the application or client policy.
1.4.5
- Fixed new Push Id update with latest RCDevs Mobile Token for Android.
- Fixed issues for Android push IDs.
> The RCDevs' team apologies for any inconvenience and issue due to
the move to the Firebase Push notification protocol for Android.
- Added HTML form support for user questions in confirmation requests.
- Added a configuration for confirmation options. Options are:
> Offline: Allow the mobile to issue a fallback confirmation OTP.
> Address: GPS address at the signing location.
> Localtime: Date and time at the signing location.
> Signature: Handwritten signature image.
> Initials: Handwritten initials image.
> Comment: Prompt for a comment on confirmation reject.
- Added the possibility to disable a FIDO device.
- The Manager method 'user_methods' takes care of disabled/expired Tokens.
- Added a Manager method to get the list of registered OTP Tokens.
- Added a Manager method to get the list of registered FIDO Devices.
- New confirmation with the same data overrides any previous confirm session.
1.4.4
- New confirmation workflows and API (100% compliant with DPS2 regulations).
- Allow multiple confirmation transactions at a time for a single user.
- Added support for asynchronous QRCode confirmations with a testing tool.
- Added support for synchronous QRCode confirmations.
- Added an optional document attachment to the confirmation APIs.
> The file can be downloaded and reviewed during the confirmation request.
> The latest OpenOTP Mobile Token is required in order to use the feature.
- Added a timeout parameter to the confirmation methods.
> Default confirmation timeout is the MobileTimeout plus an extra 30 secs.
- Confirmation OTPs are now 8 characters instead of 8 digits (more secure).
- Confirmation responses are encrypted with AES-128 and per-session vectors.
- WebADM records are created for confirmations with all the transaction data.
- Added confirmation metadata (address, handwritten signature, local time).
- Fixed problems with FIDO U2F/FIDO2 enrolment via the Manager API.
- Added the possibility to configure several RADIUS hosts for RADIUS proxy.
- Added optional 'SuccessURL' to inform a remote system of a login success.
- Fixed LDAPU2F LoginMode returning a combined OTP & U2F challenge.
- Added for WebADM cluster-level caching API.
- Multiple internal code optimizations for both login and confirmation.
- All mobile Tokens are notified for success/failure with SimplePush login.
1.4.3
- Added support for WebADM v1.7 (it does not work with previous versions).
- Fixed deferred email/SMS OTP not sent in fallback mode.
- Added optional max usage count for emergency OTPs.
- Fail immediately is SMS/mail send fails and no fallback method is configured.
- Fixed 'user under transaction' issue when mail/sSMSis set as fallback method.
- Fixed SMS/mail fallback delay issues with windows login plugin.
- All pushed data like location or client Id are now encrypted.
> Requires the latest RCDevs Mobile Token version for IOS and Android.
- OTP PIN Prefix is now stored in binary format.
- Fixed OTP challenge type when PIN Prefix is wrong.
- Internal U2F and FIDO2 optimizations.
1.4.2
- Allow devices with Internal TPM like Apple MacBook to be used a FIDO2 devices.
> The integrated FIDO device is the TouchID reader combined with the TPM chip.
- If not set to U2F, FIDO2 is now the default FIDO operating mode.
- Removed trust domain support (feature dropped in the upcoming WebADM 1.7.0).
1.4.1-4
- Fixed 'user under transaction' issue with Push Token with Mail or SMS fallback.
- Fixed token closing too early with OTP retries in display mode.
- Fixed broken FIDO2 registration with Yubikey5.
- Added offline confirmation retries.
- Added confirmation support with Trust domains.
- Added framework functions for Emergency OTP registration via SelfDesk.
- Manager methods 'Prefix_Register' and 'Emerg_Register' can optionally generate
the new PIN/OTP and now return the PIN/OTP value instead of 'true' on success.
- Added a FIDO2 compatibility mode which allows legacy U2F devices like Yubikey4
to be registered and used in FIDO2 mode.
1.4.1
- Added a challenge retry option.
- Simplified the WSDL protocol description (required for retries).
> OpenOTP Challenge responses are now identical to login responses.
> Multiple challenges can be returned for the retries.
1.4.0
- OpenOTP now supports FIDO2 devices from any vendor.
> The admin pages and self-services, and RCDevs OpenID/SAML identity provider
have been updated for FIDO2 support.
> FIDO2 will be added to ADFS later on.
- Removed MOTP Tokens' support.
- Fixed intelligent PUSH suspend not working with SMS and MAIL fallbacks.
- Enhancement to the U2F (FIDO1) support.
1.3.12
- Fixed fallback SMS/Email not being sent with 'cancel deferred SMS' message.
- Added support for offline confirmation workflow with OpenOTP Mobile Token.
- Removed SMSHub custom URL, username and password settings (not needed anymore).
- Added password reset links when user password expired or must be changed.
- Removed SMS SenderNumber and email SenderAddress settings.
> The SMS sender number is now configurable in SMShub only.
> The email sender address is configured via the 'org_from' in webadm.conf.
- Fixed Trusted U2F Devices feature not working on Chrome version >= 66.
- RADIUS Proxy requests can optionally send another LDAP user ID attribute.
- RADIUS Proxy requests forward OTP Pin Prefix and concatenated passwords.
1.3.11
- Added an offline confirmation method (with QRCode scan on RCDevs Mobile Token).
- Added asynchronous confirmations (to be used for upcoming SpanKey features).
- Fixed Password Reset with OpenOTP authentication failing when AD account is locked.
- Added support for AD DisplayName attribute.
- Confirmations and authentications can be executed currently for the same user.
- Authentication and confirmation sessions' optimizations.
1.3.10
- Fixed one issue with Windows CP when configured not to check LDAP password on AD.
- Do not allow logins for user accounts locked in ActiveDirectory (Lockout policy).
- Added Auth Cancel message template returned when users deny a SimpleLogin request.
> You need to re-apply your OpenOTP configuration in WebADM after upgrade.
- Added support for RCDevs LDProxy with LDAP MountPoints.
- Added a geo-fence protection feature preventing access from distant locations
within a configurable time frame.
1.3.9
- Fixed Authorization URL and RADIUS Reply URL timeout issues.
- Added support for RCDevs' OpenOTP LDAP Bridge version 1.0.8.
- Fixed SimplePush login with SimpleLogin method when challenge mode is not enabled.
- The success notification URL has been removed and replaced by 'Authorization URL'.
> The authorization URL is called before the user authentication to validate the
user access information. It can also be used to implement complex access control
which WebADM client policies cannot handle.
> The authorization endpoint may return ACCEPT or REJECT with an optional parameter:
'ACCEPT:LoginMode=LDAPOTP' can be used to pass user setting like LoginMode.
'REJECT:error message' can be used to log the reject reason cause in OpenOTP.
- Added geolocated country code (LOCATION) parameter to RADIUS Reply URL.
- Fixed error 'Invalid NowaitState' introduced with OpenOTP v1.3.8.
- Added %SENDER% variable to Authorization URL and RADIUS Reply URL containing the
requestor host IP address (ie. Host IP in WebADM SQL logs).
- Added concatenated password support when SimplePush Login is used.
1.3.8
- Added a Confirmation API allowing applications to trigger mobile approvals.
> The confirmation payload is send encrypted to the mobile phones.
> The confirmation response includes the payload hash (sign what you see).
- Added a client policy option to allow only Hardware tokens And U2F devices.
- SimplePush approval wait time is automatically disabled when the mobile Token
does not receive the push notification or another device is used.
> SimplePush is automatically re-enabled when the push notification is received.
- Added support for Simple Push login when OTP challenge is disabled.
- Added compatibility with newer CURL version WebADM v1.6.1.
- Added support for the upcoming RCDevs VPN server with U2F support.
- Added support for LDAP reply attributes of type IP address encoded as long int.
- Manager API allows the registration of RCDevs mobile Token in online mode.
- Fixed private YubiCloud not working when only one URL is configured.
- Added support for Apple & Android Push Id renewals (requires WebADM v1.6.2).
1.3.7
- Added support for WebADM v1.6 (this version does not run on previous WebADM).
- Added vendor filtering for U2F devices' registration in WebApps.
> Yubico and Feitian vendors are currently supported.
- Major performance enhancements to the internal binary data handing.
- Added a protection preventing expired application passwords from blocking user.
- Not expiring application password are not support anymore.
- Added support for Simple Push login with PIN Prefix feature enabled.
> Requires the latest version of RCDevs mobile OTP Token.
- Added support for Cisco ASA servers not supporting 30 seconds' timeouts.
> You need RADIUS Bridge version 1.3.2 to enable this feature!
- Added temporary access password feature allowing users to login with a
time-limited passkey, overriding the default LDAP+OTP policy.
> This feature is usable only via the Manager method OpenOTP.TmpKey_Register.
- Mobile Push approve/deny wait time wan be configured per client policy.
> This setting has been moved to the Authentication Policy config section.
- Added SelfReg registration when no OTP Token / U2F Device is registered.
1.3.6
- Added support for new options in Credential Provider version 1.1.6.
- Added support for upcoming Credential Provider offline login mode.
- Fixed broken Secure Mail (s/mime encryption) feature.
1.3.5
- Added Mobile Signature Service (MSS) support with Swisscom MobileID services.
Use 'MobileID' as SMS Delivery mode in order to use the MSS login method.
> MobileID SMS delivery mode cannot be used with SMS as fallback OTP method
- Removed SMSC configurations (SMSHub is now required for SMS features).
- Fixed mobile push notification sent even when Token has expired.
- Mobile Endpoint & U2F AppID URLs are auto-generated with WAProxy configurations.
- Added user Id & domain metadata in the RCDevs Software Token registration process
> Reserved for upcoming Windows integrations products.
- Simple Push login cannot be used with Token defined as fallback OTP method.
- Check certificate hostname for private YubiCloud with HTTPS.
- Added support for HTML challenge messages for Mail OTP.
> The challenge message template must start with the '<HTML>' tag.
- Several internal workflow optimizations.
- New RCDevs Token logo image.
1.3.4
- Added support for RadiusBridge credential cache feature (see RB documentation).
- LDAP credential cache for RadiusBridge handles Reply Attributes' URL correctly.
- Fixed token expiration which should not be available for hardware tokens.
- OTP List goes to the next OTP only when all factors are successful.
- Updated YubiCloud trusted SSL certificate.
- Fallback SMS and Mail are deferred when used as fallback method.
> Messages are canceled when the primary method is used in the next 10 seconds.
> SMSCount & MailCount metadata are dropped because incompatible with this feature.
- OpenOTP sends the received NAS-Identifier / Client ID to the RADIUS proxy server.
- Added localized messages API compliance with WebADM v1.5.10.
1.3.3
- The Token Mobile Endpoint and U2F AppId URLs are now available under the WebADM
HTTPS URL and not under the Web service URL anymore. The new U2F AppID and Token
URLs are now https://yourserver/ws/appid/ and https://yourserver/ws/openotp/.
> This change is required for public endpoints to use WebADM custom certificates.
> WAProxy URLs are not impacted but you need WAProxy 1.1.1 with this version.
- Added context expiration and lifetime parameters for the contextual authentication.
- Added PIN Prefix support for Simple-Push login (requires newer OpenOTP Token).
- Added an option to configure which user attribute should be sent to a remote RADIUS
server with PROXY OTP Type.
- Fixed an issue with U2F FacetID behind a WAProxy server (some facets are missing).
- Added options to Manager user report methods for returning AD password expiration.
1.3.2
- Updated the U2F challenge API to be more suitable with FIDO-Javascript v1.1.
> The format of the U2F challenges returned by OpenOTP has changed.
If you developed your own Web login forms with U2F and OpenOTP, please look at
the example in doc/examples/loginform.zip in oder to update your existing code.
- Added error IDs to the error responses (required for our latest windows credential
provider with the password reset feature).
- Fixed unhandled SOAP timeout issues in webapp exported methods.
- Added support for Simple-Push with the RCDevs ADFS plugin.
- Added support for WebADM service protocol API version checking.
1.3.1
- Added geolocation data to push requests (required for fishing protection on Android).
- Extended the Simple-Push wait time to 20 seconds (instead of 15 seconds).
- Replaced the settings 'Send Blocking Email' and 'Send Blocking SMS' by the common
setting 'Send Blocking Notification'.
> The 'Send Blocking Notification' can be set to mail, SMS or mail+SMS.
- Added a setting 'Send Expire Notification' for expired LDAP passwords and OTP Tokens.
- Added an email message template for expired LDAP passwords.
- Disabled account blocking on login failure when the OTP Token expired.
- OpenOTP validates the mobile clock during the enrolment of the OpenOTP Software Token.
1.3.0
- Added support for RCDevs Mobile Authenticator (mobile Token with Push Login).
> OpenOTP now support push notification-based login with the new Push OTP methods.
> Standard OTP login with HOTP and TOTP authentication supports push notifications.
- Uses the new WAPI framework from WebADM 1.5.0.
- Minor bug fixes for Manager methods.
- Removed the 'Update Inventory' button in the Token registration admin page.
- SQL audit log displays which Token instance was used in an authentication success.
- Fixed client-filtered RADIUS reply attributes not working with client aliases.
- Renamed the service 'MFA Authentication Server'.
- Allow Emergency OTP longer then the configured OTP length.
- Added a 'NOLOCK' option to disable transaction locks (for server status polling).
- Prevent administrators from registering an OTP Token or U2F Device on a slot which
is already registered. Administrators need to un-register first.
- OTP prefix must be numeric characters.
- SMS Sender ID can contain any printable characters.
- Prefetched SMS/Email message uses Service Name instead the Client Name.
- Fixed RADIUS reply data filter not working for client policies with friendly names.
- Fixed software token expiration not working in challenged mode.
- Fixed wrong log IDs (in log files) after receiving the U2F challenge response.
- Added the %GROUPS% variable to the Auth Success URL setting.
- Added a configuration for fetching RADIUS reply attributes from a web service URL.
> Multiple URLs can be used for high-availability (requests are sent in parallel).
> The response must contain comma-separated dictionary-enabled RADIUS value-pairs.
> It is possible to return binary attributes in HEX with a '0x' prefix.
1.2.3
- Added a RADIUS attributes' editor (replaced the ReplyData setting).
> You need OpenOTP RADIUS Bridge v1.2.4 with this version of OpenOTP if you are
using RADIUS attributes in ReplyData.
- Added product categorization for WebADM v1.4.5.
- Remove resynchronization for YubiKeys which is not necessary.
- Added an option allowing self-services to request MFA authentication only if when
an MFA method is usable (used by Self-Service Desk).
- Added an option to disable transaction locks for stress tests.
- Added OpenOTP service stress test tools in docs/stresstest/.
1.2.2
- Admins can optionally set friendly names or short descriptions for U2F devices.
- U2F uses embedded javascript and does not require the Google Chrome extension.
- Fixed challenge session broken with no domain ID (default domain).
- Fixed Manager method Domain Report ignoring domain parameter.
- Added new variables to the challenge message template (USERNAME, USERID, USERDN).
- Added an option to return the U2F reg data to the Windows Credential Provider.
- Added support for private YubiCloud validation services.
- Added support for WebADM user_level configurations in webadm.conf.
- fixed SMSHub requests issues with multiple mobile numbers.
- Enhanced the Token registration pages.
- Fixed PSKC export failing with error "Only super admins can export PSKC".
- Added automatic addition of YubiCloud Tokens in the Inventory during registration.
> YubiCloud Tokens assigned to a user cannot be registered to another user anymore.
1.2.1
- This version is designed for WebADM v1.4 and is not compatible with v1.3.
- Added support for WebADM 1.4 admin roles for admin pages and manager methods.
- Changed the SOAP encoding to RPC-literal for better compatibility with languages.
> The API remains fully compatible the previous RPC-encoded format.
- Added support for the %USERID% and %USERDN% variables in user message templates.
- OTP replay protection is enforced even if LDAP or PIN factors have failed.
- Added support for contextual authentication with trusted sources and device IDs.
See the 'Trusted Sources & Devices' setting in OpenOTP configurations for details.
- Added support for national mobile phone numbers with Clickatell SMSC.
- Allow U2F devices without an embedded X.509 certificate.
- More efficient SMS & Mail prefetching mode.
- Added automatic re-synchronization of time-based Tokens for TOTP, mOTP and OCRA.
> Token time offset is auto-adjusted based on statistics to deal with time drift.
- Fixed Token resynchronization and PIN change not available with more than 3 Tokens.
- Added support for Plivo online SMS service (http://www.plivo.com).
- Fixed international mobile number formatting issues.
- Added support for OATH tokens supporting MD5 algorithm (ex. RedHat FreeOTP).
- U2F method is automatically disabled when challenge mode is not supported.
- The Auth Success URL can optionally return some reply data in JSON format.
> If present these additional data are merged with the user/group reply data.
- It is not possible to register an inventoried Token which is already registered on
another user. The Token must be unlinked first from the Inventory.
- When password concatenation was used, the openotpLogin response returns the length
the the LDAP password in the 'concat' SOAP parameter.
1.2.0
- Added full support of the U2F specification from FIDO Alliance (see documentation).
> OpenOTP supports OTP and FIDO U2F authentication to be used concurrently.
> MFA Login Mode is added for a combined support of OTP and U2F challenges.
> The OpenOTP API has been changed and remains backward-compatible with v1.1.
Please review the OpenOTP WSDL specification (openotp.wsdl) file for changes.
- Re-organized graphical configuration sections.
- Fixed openotp_token_qrcode Manager method issues with key sizes other than 160bits.
- Removed the settings to enable/disable status requests. Status is always enabled.
- Many code changes and optimizations.
1.1.5
- Added support for Software Token expiration time and auto re-enrolment.
> A new error message has been added to inform users when their Token has expired.
> A default/user setting allows to configure the Software Token expiration time.
> Manager method are added in order to set/check Token expiration.
- Added support for several Tokens enrolment with Google Authenticator.
- Added a new setting to 'Enable User Login' to enable/disable OpenOTP for some users.
> This setting replaces the 'DISABLED' Login Mode choice which is now removed.
> Be sure to reconfigure all the users having their LoginMode set to DISABLED!
- An already registered token cannot be registered twice on the same account.
- In Manager method emerg_register, the 'time' is renamed to 'expires'.
- Added support for Application Passwords like in Google 2FA model:
When enabled, users can alternatively login with per-client application passwords.
These are long and expirable random passwords to be generated in the Self-Services.
1.1.4
- Added support for hardware encryption with Yubico YubiHSM.
HSM hardware cryptography is currently used for:
> Token seed generation.
> SMS / Mail passwords and OCRA Challenges.
> Token seed storage in the user metadata (AES-256-CBC mode).
- Statistic user metadata are stored unencrypted.
- OpenOTP assumes password de-concatenation with simpleLogin requests when Challenged
OTP support is disabled.
> You do not need anymore to configure password modes in RadiusBridge. Simply keep
the default mode '0' and configure a Client Policy with Challenge Support disabled.
- Added the possibility to combine LastOTP with the last used client IP.
- Added support for password de-contenation at the OTP server level when the client
is configured not to support challenged OTP (with setting 'OTP Challenge Support').
- Added the possibility to call a Web service URL to inform of a user login success.
- Added actions for Admin and WebApps to de-activate and re-activate user Tokens.
1.1.3
- ReplyData from groups are combined with the user values.
- Fixed issues with the report tool in (in bin/report).
- Added Manager methods to get user statistics (like with the bin/report tool).
> Method 'OpenOTP.User_Report' gets statistics for a user DN.
> Method 'OpenOTP.Domain_Report' gets statistics for all users within a domain.
The Manager method 'User_Report' can report the user blocking status.
- Added user notification via email and/or SMS when a user account gets blocked.
- Fixed some issues with the PSKC import tool.
- Added Yubikey registration with WebADM Inventory (simply by pressing the Yubikey).
- Added support for YubiCloud OTP validation service from Yubico.
- The Manager method Yubikey_Register includes a mandatory parameter for public ID.
- Added 'bin/yubi2inv' script to convert Yubikey CSV files to WebADM Token Inventory.
- All the Web APIs support the 'lang' HTTP-GET parameter to force a language code.
> Forcing a language overrides the user language defined in a language attribute.
- Fixed user blocking emails (Send Blocking Email) not working correctly with challenges.
- Changed the list of allowed values for Max Tries setting (from 0 to 10).
- Added a Manager method 'User_Methods' allowing to get the user OTP methods (OTPType).
which are usable for a user.
1.1.2
- New application architecture designed for WebADM v1.2.6.
- Fixed Manager function Token_QRCode where HOTP and TOTP QR URIs are inverted.
- Fixed challenge started instead of a failure on SMSC failure with OTP-only mode.
- Added detection of expired Active Directory passwords.
- Added support for client's friendly name to be displayed in challenge messages.
- Adapted some admin page layouts for WebADM v1.2.5.
- Reduced the challenge session ID length for better compatibility with RADIUS clients.
- Added support for SafeNet eToken PASS OATH.
- Fixed a bug with the registration of inventoried OCRA Tokens.
- JSON API can be used in restful mode.
- Fixed a wrong error message when a user session has been overridden and when the
Challenge Session Lock option is disabled.
- Added some help to the Manager interface methods (accessible under WebADM Infos menu).
- Fixed the Manager method Prefix_Register not working.
- OpenOTP honors ActiveDirectory account disabled flag.
- Performance optimizations.
1.1.1
- Added simple Hardware Token registration with serial numbers. This registration mode
is highly recommended when dealing with large amounts of Hardware Tokens.
It uses the WebADM Inventory. Token must also be imported to the Inventory.
- Added the ability to use PIN+OTP in the LDAPOTP and OTP Login Modes.
> Allows OTP passwords to be prefixed with a per-user alpha-numeric static PIN code.
> 'OTP Prefix Required' setting must be enabled and users must register an OTP Prefix.
- More checks on values for new PIN Code, OTP Prefix and Emergency OTP.
- The bin/pskc tool now exports token data to Inventory CSV format.
- The graphical PSKC import tool can exports token data to Inventory CSV format.
- OATH-OCRA Tokens support alphanumeric PIN codes.
- Fixed PSKC exports.
- Added the Block_Start Manager function to force blocking a user.
- Fixed a minor issue with LASTOTP expiration time.
- Fixed bin/report tool with multi-Tokens.
1.1.0
- Any combination of OTPType and OTPFallback is now possible.
- Added support for second and third Tokens.
> OpenOTP is now able to handle up to three registered Tokens per user.
- Enhancements to the user blocking system.
- Enhancements to the OCRA algorithm.
- Enhancements to the Password List display.
- Added an option not to display the Password List' OTP ID in the challenge message.
- OTP length 4 digits is removed.
- Added the OpenOTPSimpleLogin API method for a simpler integration with client systems
which are able to send only one password at a time.
- Removed the Auto Password Swapping setting. This feature becomes obsolete with the
openotpSimpleLogin API method.
- Better file-based logging.
- Major code rewrites and optimizations.
1.0.17
- Added support for location-based policies in WebADM 1.2.3.
- Added 'source' field to the API (please update your client implementations).
- Removed commonly misinterpreted user locking log event.
- Challenge Session Lock setting can be defined per user.
- Improved login failure timer system.
- Fixed a wrong SOAP parameter name in the SMSHub WDSL file.
> Please update SMSHub to 1.0.9 with this version of OpenOTP.
- Fixed a bug with OCRA (RFC-6287) Tokens.
- Fixed PSKC Token import issues with some vendor's PSKC files.
- Added XML-RPC API.
- Multiple code enhancements.
1.0.16
- Added support for newer WebADM 1.2.1 licensing.
- Added a setting to enable user blocking alerts.
- SMSOTP and MailOTP supports users with multiple mobile numbers and email addresses.
- Added a setting to customize the mail OTP subject.
- Enhanced the user account unblocking action in WebADM Admin portal.
- Added a Manager method for checking user account blocking status.
- Fixed a wrong session expiration display in the soapd.log file.
- Handle SMS concatenation for messages larger than 140 characters.
- Fixed a problem in HOTP manual resynchronization with wrong OTP sequence entered.
- Fixed a problem with JSON APIs and SMS OTP.
- Fixed a problem with the PSKC token export.
- New requests are allowed when a session is already started after a delay of 5 seconds.
> Existing challenge session is dropped and the user does not have to wait for the
challenge timeout to expire.
> It is possible to activate the session duplicate protection for increased security
with the new Challenge Session Lock setting.
- Added a 'Service Name' setting to customize the Google Authenticator display name.
- Added PDF OTP list export.
1.0.15
- Updated for WebADM 1.2.
- Added JSON-RPC 2.0 API.
- Added support for WebADM 1.2.x Manager interface.
1.0.14
- Fixed soapd.log displaying user password with SMSHub errors.
- Uses the WebADM-1.1.3 email framework for MailOTP.
- Added authentication failures count in user data (RejectCount).
- Added JSON Web service API.
- Fixed a WSDL namespace issue when imported in VisualStudio .NET.
- Major code rewrites and optimizations.
- Major fallback OTP enhancements.
> TOKEN, LIST and LASTOTP fallback methods are now allowed with any OTPType.
> The fallback is automatically disabled if the user data are missing.
- SMS and Mail OTP support prefetched delivery mode (next OTP is send after login).
- LASTOTP have an expiration time.
1.0.13
- Fixed OCRA problems with numeric challenges.
- Enhancements compatible with WebADM 1.1.2.
- Added an user action to re-activate blocked accounts.
- Added password swapping feature for simpler RADIUS and PAM support.
- Added emergency OTP password feature. Administrators can set an emergency OTP for users
which cannot use their usual OTP Type and require access. Emergency passwords replace
usual OTP for a configurable time period. After the period the OTP Type is restored.
- Added an action to unregister a user Token (in the Register Token page).
- Enhanced SMS/Mail OTP fallback system.
> With TOKEN and LIST fallback modes, OpenOTP accepts both SMS/Mail and fallback OTPs.
Users can now use their TOKEN or LIST fallback OTP when they do not receive the SMS,
even when the SMSC acknowledged SMS delivery.
- LastOTP user data stores OTP hash instead of OTP value.
- Fixed PSKC import with OCRA Tokens.
1.0.12
- Added RADIUS proxy functionality to ease migration to OpenOTP from another solution.
- Fixed a problem with the PSKC import tool (bin/pskc).
- Internal code enhancements and better error handling.
- Added SHA256 and SHA512 key registration support for TOTP/OCRA Tokens.
- Rewritten PSKC import tools to comply with IETF RFC-6030.
- Added PSKC export to backup user Token information.
- Added Client policies support for Trust domains.
- Added support for WebADM Client objects with a default domain setting.
> The openotpChallenge SOAP request method contains a new 'client' optional attribute.
The client must be specified if the request contains no domain field and if a WebADM
Client exists and has a Default Domain setting.
> The WebApps: SelfDesk, SelfReg and OpenID must be updated to the latest version.
- Updated documentations.
1.0.11
- Added OTP List support.
- Fixed minor text export problems for PSKC and OTP List.
- Re-arranged setting list for better visibility.
- Added -FALLBACK in challenge message in fallback mode.
1.0.10
- Added OATH OCRA (Challenge Response) Token support.
- Corrected 32bit OATH-HOTP counter limitation.
- Added SHA256 and SHA512 algorithms for HOTP/TOTP.
- Added possibility to register HOTP with hex counter.
- Added TOTP resync utility.
> OpenOTP computes the Token time offset and keeps the offset for OTP calculations.
- Corrected a Fallback problem.
- Corrected a BlockTime problem.
1.0.9
- Modified openotpChallenge API (see release notes for details).
- Enhanced internal session handling.
- Added Google Authenticator support with QRCode registration.
- OpenOTP Token register enhancements.
- Added QR Barcode-based Token key registration.
- Fixed a Token change PIN bug.
- Fixed Trust forwarding with remote domain name different than local domain name.
- Added a web service setting to enable per-request user settings.
- Added Data field in OpenOTP SOAP responses.
Reply Data can be set on a LDAP user or group. It is used in
Radius Bridge to send filtering data to a RADIUS client.
- Client ID is now forwarded to SMSHub.
1.0.8
- SMSC URL setting is renamed to SMS Address like in SMSHub.
- Added more request parameter checks and error messages via SOAP faults.
- Added Block Time settings to block users for an amount of time after n login failures.
- Added a setting to activate the LDAP password protection by sending fake challenges in
LDAPOTP Login Mode. The protection sends back SOAP challenges when LDAP password
failed, but does not send the SMS or email OTP. When activated the hacker cannot know
if he entered the good LDAP password or not.
- Request Blocking Timer setting is renamed Failure Blocking Timer.
- Minor corrections.
1.0.7
- Time-based Tokens algorithm enhancements.
- Replaced SMSFallback setting by OTPFallback setting.
Fallback is available for SMS and Mail and supports Token, SMS, Mail and LastOTP.
- Added mail alerts for SMSC, mail, Trust or internal errors.
- Added AccountLocked message.
- Added more user setting consistency checks.
- User data values are hidden in SOAP log.
- More Token settings are adjustable per user.
- Added SOAP fault handling.
- Added PSKC key import system.
1.0.6
This OpenOTP version requires a license file.
Without license, it is limited to 15 users.
Requires WebADM >= 1.0.5.
- WebADM Trust Domains support (requires license).
- Added SMS fallback with MailOTP.
- Fixed SOAP faults handling problems.
- Fixed a problem with OATH-TOTP.
- Added SMS fallback to MailOTP.
- Added email alerts.
1.0.5
- Time-based Tokens replay protection enhancements.
- Added Yubico YubiKey support.
- Fixed a bug in the mOTP registration export functions.
1.0.4
- HTTP proxy support for SMS gateways.
- User sensitive information are hidden in logs.
- Fixed a JavaScript problem in the Token Register Admin page.
1.0.3
- Support for Mobile-OTP Software Tokens (motp.sourceforge.net).
- Support for WebADM SMSHub.
- Uses the new WebADM 1.0.3 user locking.
- Added a SMSC SOAP URL setting.
- Added Token PIN change page for MOTP Tokens.
1.0.2
- OpenOTP includes user edition pages to be used in the WebADM admin portal.
The current admin pages include:
- Token registration
- Token Resynchronization
- User login test
- SMSType is now a public setting (application level or per-user level).
- ValidFrom and ValidTo settings are now LDAP-only settings.
1.0.1
- Added account blocking feature.
You need to edit OpenOTP Configurations and set the AccountBlockedMessage.
- Fixed a bug in Secure Mail (s/mime) sending functions.
- Better user certificate handling.
1.0.0
Initial OpenOTP release.
