|
Frequently Asked Questions
How do I use OpenOTP with my VPN?
Most VPN integrations must be done via RADIUS. Install OpenOTP RadiusBridge and look at the RadiusBridge Admin Guide for integration details. With RadiusBridge, you can enable OpenOTP two-factor with Juniper, Checkpoint, F5, Fortinet, Cisco, Palo Alto, Array, etc... RadiusBridge is also used to integrate any other RADIUS-enable access portal such as Citrix Access Gateway.
How do I use OpenOTP with my custom Web application?
If you need to integrate OpenOTP two-factor with your Web developments, you should use the OpenOTP SOAP or JSON API. It is a very simple integration API which is documented in the OpenOTP Technical Specification. With the API specification and the provided examples, you should be able to implement OpenOTP in you application login page in an hour.
Can I use OpenOTP with Active Directory?
Of course! Microsoft Active Directory is one of the supported LDAP Directories. Look at the WebADM Installation Guide to configure WebADM with your AD. Our Virtual Appliance can easily be reconfigured to connect your Active Directory servers too.
How can I un-activate a user in WebADM?
The license counting in WebADM counts the activated users only. These are all the users with the webadmAccount objectclass present and which are part of one registered Domain. To un-activate a user, you must remove the webadmAccount objectclass from it: Edit the user. Choose "advanced edit mode". Check the webadmAccount objectclass in the attribute list and do "Apply Changes / Delete Selected". It will remove the webadmAccount objectclass from the user and WebADM will not count this user as activated.
Why do you provide a full version for free?
We want to help people securing their applications/business on the net. Also, with a new version free for up to 25 users, we offer a complete enterprise security solution which should cover the needs for a majority of small companies, organizations and individuals at minimal cost. We think internet security is a major concern today and nice solutions exists with OATH or OpenID. There must be solutions for everyone and we hope our initiative will make things move the right way.
Do I need to pay extra to use addons like OpenID, SAML or PAM?
No at all! All the features and components are available with your OpenOTP user license. If you get 100 user licenses, you can download and use any integration plugin/add-on/library with your server. Even secondary servers for high-availability are included with your user license.
How can I use my existing LDAP users with OpenOTP / SelfDesk?
To be able to use any WebADM applications, a LDAP user must be a WebADM-enabled account. That means usable LDAP accounts are those containing the webadmAccount LDAP objectclass. You can enable the WebADM features on any LDAP user / group by extending it (in WebADM) with the webadmAccount objectclass (from available object extension list).
What are the default WebADM URLs for Admin / WebApps / Web Servives?
What are OTPs?
OTPs are one-time-passwords. These passwords are randomly generated on demand, once used to login and then expired after use.
Why use One Time Passwords?
One-time-passwords are significantly more secure and convenient than common static passwords. Static passwords are often not complex enough to be secure. In order to make them easy to remember, users tend to use the same password repeatedly or even write them down if forced to make use of complex passwords. This reduces their security and opens up the possibility of the password being cracked. Static passwords can also be captured by 'shoulder surfing' or Trojan keylogger applications. One-time-passwords are randomly generated on demand by the user, which immediately offers unique authentication in every instance. The password then expires immediately.
What happens if I generate OTPs and don't use them?
OpenOTP server and the software token application will go out of sequence or 'sync' if more than 25 (configurable) OTPs are generated by the user but then not used to login. In this case, a token resync is necessary in order for the user to login in again. Users can resync their Token themselves with the 'User Self Service Desk' WebApps.
What is a token resync?
A token resync is an operation performed when more than 25 OTPs are generated, but not used to login with by the user on their software token application. In this case, OpenOTP server and the token are now out of sequence and the user will be forced to resync in order to login.
How does OpenOTP integrate to the system or resource I want to protect with strong authentication?
OpenOTP/WebADM uses various connectors, such as the RADIUS and SOAP/XML protocols.
How can we use our own LDAP?
WebADM server uses your existing LDAP. No need to replicate data to another directory. WebADM can supports any LDAPv3 compliant directory.
Are SMS messages reliable?
Yes. Nowdays, SMS messages are very reliable.
Currently OpenOTP provides connections to SMS service providers such as Clickatell, AQL, OVH, Mpulse,
SMPP services and any custom SMSCs.
We cant develop on-demand additional connectors. Contact support for in this case.
Can we combine LDAP passwords with OTP authentication?
Yes, assuming the passwords are stored to LDAP compliant directory (Microsoft ActiveDirectory, Novell eDirectory, OpenLDAP, etc...). It is recommended to use OpenOTP with both LDAP and OTP password check for additional security. Other advantages in using this combination is that its extremely intuitive for end users. With this combination you can also prevent any malicious logins that could potentially lead to useless SMS messaging (see also 'Can someone maliciously send me a SMS if he knowns my username?').
Can someone spam me SMS messages if he knows my username?
With OpenOTP, the authentication requires your LDAP password first. If someone enters a wrong LDAP password, the system will ask for the OTPlike if the LDAP password was correct but will not send the SMS or email. This mechanism ensures an attacker never knows what password was wrong (LDAP or OTP), and provides a anti-spam SMS / Mail filter.