Viewer

  OpenOTP Changelog

File: Changelog_openotp.txt
Size: 37 KBytes
MD5: 8B3C2F2DFC655E4E7681BCA242BE4CC5

1.4.6
    - This update is required for WebADM version >= 1.7.6.
    - Close remaining session slot when overriding a confirmation request.
    - Close mobile Token approve page when confirming with the fallback OTP.
    - Added support for branded Mobile Token with several branding options.
    - Optionally prevent Google Authenticator and RCDevs Token to be used
      alongside branded tokens.
    - Fixed REST/JSON Confirmation API not working in asynchronous mode.
    - Added address and locatime in cancelled confirmation responses.
    - Push Login and synchronous Confirmation use the new WebADM inter-process
      message queing. This enhances the performances by limiting the number of
      session manager calls while waiting for mobile responses.
    - Confirmation forms must be provided base64-encoded.
    - SuccessURL is called with user confirmation cancel.
    - Compatibility with third-party Mobile Tokens (ex.Google Authenticator)
      is now disabled by default (ie. setting 'Compatibility Mode').
    - Added a detached registration mode to the Token registration admin page.
      > Detach mode can optioanlly require an enrolment PIN code.
    - Multiple code optimizations related to Push Login and session timeouts.
    - Re-scoped some application settings.
      > If you configured blocking policies or geo-fencing on a user or group,
        please configure it in the application or client policy.
    
1.4.5
    - Fixed new Push Id update with latest RCDevs Mobile Token for Android.
    - Fixed issues for Android push IDs.
      > The RCDevs' team apologies for any inconvenience and issue due to
        the move to the Firebase Push notification protocol for Android.
    - Added HTML form support for user questions in confirmation requests.
    - Added a configuration for confirmation options. Options are:
      > Offline: Allow the mobile to issue a fallback confirmation OTP.
      > Address: GPS address at the signing location.
      > Localtime: Date and time at the signing location.
      > Signature: Handwritten signature image.
      > Paraph: Handwritten signature paraph.
      > Comment: Prompt for a comment on confirmation reject.
    - Added the possibility to disable a FIDO device.
    - The Manager method 'user_methods' takes care of disabled/expired Tokens.
    - Added a Manager method to get the list of registered OTP Tokens.
    - Added a Manager method to get the list of registered FIDO Devices.
    - New confirmation with the same data overrides any previous confirm session.
    
1.4.4
    - New confirmation workflows and API (100% compliant with DPS2 regulations).
    - Allow multiple confirmation transactions at a time for a single user.
    - Added support for asynchronous QRCode confirmations with a testing tool.
    - Added support for synchronous QRCode confirmations.
    - Added an optional document attachment to the confirmation APIs.
      > The file can be downloaded and reviewed during the confiration request.
      > The latest OpenOTP Mobile Token is required in order to use the feature.
    - Added a timeout parameter to the confirmation methods.
      > Default confirmation timeout is the MobileTimeout plus an extra 30 secs.
    - Confirmation OTPs are now 8 characters instead of 8 digits (more secure).
    - Confirmation responses are encrypted with AES-128 and per-session vectors.
    - WebADM records are created for confirmations with all the transaction data.
    - Added confirmation metadata (address, handwritten signature, local time).
    - Fixed problems with FIDO U2F/FIDO2 enrolment via the Manager API.
    - Added the possiblity to configure several RADIUS hosts for RADIUS proxy.
    - Added optional 'SuccessURL' to inform a remote system of a login success.
    - Fixed LDAPU2F LoginMode returning a combined OTP & U2F challenge.
    - Added for WebADM cluster-level caching API.
    - Multiple internal code optimizations for both login and confirmation.
    - All mobile Tokens are notified for success/failure with SimplePush login.
    
1.4.3
    - Added support for WebADM v1.7 (it does not work with previous versions).
    - Fixed deferred email/SMS OTP not sent in fallback mode.
    - Added optional max usage count for emergency OTPs.
    - Fail immediately is SMS/mail send fails and no fallback method is configured.
    - Fixed 'user under transaction' issue when mail/sSMSis set as fallback method.
    - Fixed SMS/mail fallback delay issues with windows login plugin.
    - All pushed data like locationn or client Id are now encrypted.
      > Requires the latest RCDevs Mobile Token version for IOS and Android.
    - OTP PIN Prefix is now stored in binary format.
    - Fixed OTP challenge type when PIN Prefix is wrong.
    - Internal U2F and FIDO2 optimizations.
    
1.4.2
    - Allow devices with Internal TPM like Apple MacBook to be used a FIDO2 devices.
      > The integrated FIDO device is the TouchID reader combined with the TPM chip.
    - If not set to U2F, FIDO2 is now the default FIDO operating mode.
    - Removed trust domain support (feature dropped in the upcoming WebADM 1.7.0).

1.4.1-4
    - Fixed 'user under transaction' issue with Push Token with Mail or SMS fallback.
    - Fixed token closing too early with OTP retries in display mode.
    - Fixed broken FIDO2 registration with Yubikey5.
    - Added offline confirmation retries.
    - Added confirmation support with Trust domains.
    - Added framework functions for Emergency OTP registration via SelfDesk.
    - Manager methods 'Prefix_Register' and 'Emerg_Register' can optionally generate
      the new PIN/OTP and now return the PIN/OTP value instead of 'true' on success.
    - Added a FIDO2 compatibility mode which allows legacy U2F devices like Yubikey4
      to be registered and used in FIDO2 mode.

1.4.1
    - Added a challenge retry option.
    - Simplified the WDSL protocol description (required for retries).
      > OpenOTP Challenge responses are now identical to login responses.
      > Multiple challenges can be returned for the retries.
      
1.4.0
    - OpenOTP now supports FIDO2 devices from any vendor.
      > The admin pages and self-services, and RCDevs OpenID/SAML identity provider
        have been updated for FIDO2 support.
      > FIDO2 will be added to ADFS later on.
    - Removed MOTP Tokens' support.
    - Fixed intelligent PUSH suspend not working with SMS and MAIL fallbacks.
    - Enhancement to the U2F (FIDO1) support.
    
1.3.12
    - Fixed fallback SMS/Email not being sent with 'cancel deferred SMS' message.
    - Added support for offline confirmation workflow with OpenOTP Mobile Token.
    - Removed SMSHub cuctom URL, username and password settings (not needed anymore).
    - Added password reset links when user password expired or must be changed.
    - Removed SMS SenderNumber and email SenderAddress settings.
      > The SMS sender number is now configurable in SMShub only.
      > The email sender address is configured via the 'org_from' in webadm.conf.
    - Fixed Trusted U2F Devices feature not working on Chrome version >= 66.
    - RADIUS Proxy requests can optioanlly send another LDAP user ID attribute.
    - RADIUS Proxy requests forward OTP Pin Prefix and concatenated passwords.
    
1.3.11
    - Added an offline confirmation method (with QRCode scan on RCDevs Mobile Token).
    - Added asynchronous confirmations (to be used for upcommaing SpanKey features).
    - Fixed Password Reset with OpenOTP authentication failing when AD account is locked.
    - Added support for AD DisplayName attribute.
    - Confirmations and authentications can be executed currently for the same user.
    - Authentication and confirmation sessions' optimizations.

1.3.10
    - Fixed one issue with Windows CP when configured not to check LDAP password on AD.
    - Do not allow logins for user accounts locked in ActiveDirectory (Lockout policy).
    - Added Auth Cancel message template returned when users deny a SimpleLogin request.
      > You need to re-apply your OpenOTP configuration in WebADM after upgrade.
    - Added support for RCDevs LDProxy with LDAP MountPoints.
    - Added a geo-fence protection feature preventing access from distant locations
      within a configurable time frame.
    
1.3.9
    - Fixed Authorization URL and RADIUS Reply URL timeout issues.
    - Added support for RCDevs' OpenOTP LDAP Bridge version 1.0.8.
    - Fixed SimplePush login with SimpleLogin method when challenge mode is not enabled.
    - The success notification URL has been removed and replaced by 'Authorization URL'.
      > The autorization URL is called before the user authentication to validate the
        user access information. It can also be used to implement complex access control
        which WebADM client policies cannot handle.
      > The autorization enpoint may return ACCEPT or REJECT with an optional parameter:
        'ACCEPT:LoginMode=LDAPOTP' can be used to pass user setting like LoginMode.
        'REJECT:error message' can be used to log the reject reason cause in OpenOTP.
     - Added geolocated country code (LOCATION) parameter to RADIUS Reply URL.
     - Fixed error 'Invalid NowaitState' introduced with OpenOTP v1.3.8.
     - Added %SENDER% variable to Authorization URL and RADIUS Reply URL containing the
       requestor host IP address (ie. Host IP in WebADM SQL logs).
     - Added concatenated password support when SimplePush Login is used.
     
1.3.8
    - Added a Confirmation API allowing applications to trigger mobile approvals.
      > The confirmation payload is send encrypted to the mobile phones.
      > The confirmation response includes the payload hash (sign what you see).
    - Added a client policy option to allow only Hardware tokens And U2F devices.
    - SimplePush approval wait time is automatically disabled when the mobile Token
      does not recieve the push notification or another device is used.
      > SimplePush is automatically re-enabled when the push notofocation is recieved.
    - Added support for Simple Push login when OTP challenge is disabled.
    - Added compatibility with newer CURL version WebADM v1.6.1.
    - Added support for the upcoming RCDevs VPN server with U2F support.
    - Added support for LDAP reply attributes of type IP address encoded as longint.
    - Manager API allows the registration of RCDevs mobile Token in online mode.
    - Fixed private YubiCloud not working when only one URL is configured.
    - Added support for Apple & Android Push Id renewals (requires WebADM v1.6.2).
    
1.3.7
    - Added support for WebADM v1.6 (this version does not run on previous WebADM).
    - Added vendor filtering for U2F devices' registration in WebApps.
      > Yubico and Feitian vendors are currently supported.
    - Major performance enahancements to the internal binary data handing.
    - Added a protection preventing expired application passwords from blocking user.
    - Not expiring application password are not support anymore.
    - Added support for Simple Push login with PIN Prefix feature enabled.
      > Requires the lastest version of RCDevs mobile OTP Token.
    - Added support for Cisco ASA servers not supporting 30 seconds' timeouts.
      > You need RADIUS Bridge version 1.3.2 to enable this feature!
    - Added temporary access password feature allowing users to login with a
      time-limited passkey, overriding the default LDAP+OTP policy.
      > This feature is usable only via the Manager method OpenOTP.TmpKey_Register.
    - Mobile Push approve/deny wait time wan be configured per client policy.
      > This setting has been moved to the Authentication Policy config section.
    - Added SelfReg registration when no OTP Token / U2F Device is registered.

1.3.6
    - Added support for new options in Credential Provider version 1.1.6.
    - Added support for upcoming Credential Provider offline login mode.
    - Fixed broken Secure Mail (s/mime encryption) feature.
    
1.3.5
    - Added Mobile Signature Service (MSS) support with Swisscom MobileID services.
      Use 'MobileID' as SMS Delivery mode in order to use the MSS login method.
      > MobileID SMS delivery mode cannot be used with SMS as fallback OTP method
    - Removed SMSC configurations (SMSHub is now required for SMS features).
    - Fixed mobile push notification sent even when Token has expired.
    - Mobile Endpoint & U2F AppID URLs are auto-genarated with WAProxy configurations.
    - Added user Id & domain metadata in the RCDevs Software Token registration process
      > Reserved for upcoming Windows integrations products.
    - Simple Push login cannot be used with Token defined as fallback OTP method.
    - Check certificate hostname for private yubicloud with HTTPS.
    - Added support for HTML challenge messages for Mail OTP.
      > The challenge message template must start with the '<HTML>' tag.
    - Several internal workflow optimizations.
    - New RCDevs Token logo image.
    
1.3.4
    - Added support for RadiusBridge credential cache feature (see RB documentation).
    - LDAP credential cache for RadiusBridge handles Reply Attributes' URL correctly.
    - Fixed token expiration which should not be available for hardware tokens.
    - OTP List goes to the next OTP only when all factors are successful.
    - Updated Yubicloud trusted SSL certificate.
    - Fallback SMS and Mail are deferred when used as fallback method.
      > Messages are canceled when the primary method is used in the next 10 seconds.
      > SMSCount & MailCount metadata are dropped bacause incompatibe with this feature.
    - OpenOTP sends the recieved NAS-Identifier / Client ID to the RADIUS proxy server.
    - Added localized messages API compliance with WebADM v1.5.10.
    
1.3.3
    - The Token Mobile Endpoint and U2F AppId URLs are now available under the WebADM
      HTTPS URL and not under the Web service URL anymore. The new U2F AppID and Token
      URLs are now https://yourserver/ws/appid/ and https://yourserver/ws/openotp/.
      > This change is required for public enpoints to use WebADM Mcustom certificates.
      > WAProxy URLs are not impacted but you need WAProxy 1.1.1 with this version.
    - Added context expiration and lifetime parameters for the contextual authentication.
    - Added PIN Prefix support for Simple-Push login (requires newer OpenOTP Token).
    - Added an option to configure which user attribute should be sent to a remote RADIUS
      server with PROXY OTP Type.
    - Fixed an issue with U2F FacetID behind a WAProxy server (some facets are missing).
    - Added options to Manager user report methods for returning AD password expiration.

1.3.2
    - Updated the U2F challenge API to be more suitable with FIDO-Javascript v1.1.
      > The format of the U2F challenges returned by OpenOTP has changed.
      If you developped your own Web login forms with U2F and OpenOTP, please look at
      the example in doc/examples/loginform.zip in oder to update your existing code.
    - Added error IDs to the error reponses (required for our latest windows credential
      provider with the password reset feature).
    - Fixed unhandled SOAP timeout issues in webapp exported methods.
    - Added support for Simple-Push with the RCDevs ADFS plugin.
    - Added support for WebADM service protocol API version checking.

1.3.1
    - Added geolocation data to push requests (required for fishing protection on Android).
    - Extended the Simple-Push wait time to 20 seconds (instead of 15 seconds).
    - Replaced the settings 'Send Blocking Email' and 'Send Blocking SMS' by the common
      setting 'Send Blocking Notification'.
      > The 'Send Blocking Notification' can be set to mail, SMS or mail+SMS.
    - Added a setting 'Send Expire Notification' for expired LDAP passwords and OTP Tokens.
    - Added an email message template for expired LDAP passwords.
    - Disabled account blocking on login failure when the OTP Token expired.
    - OpenOTP validates the mobile clock during the enrolment of the OpenOTP Software Token.
    
1.3.0
    - Added support for RCDevs Mobile Authenticator (mobile Token with Push Login).
      > OpenOTP now support push notification-based login with the new Push OTP methods.
      > Standard OTP login with HOTP and TOTP authentication supports push notifications.
    - Uses the new WAPI framework from WebADM 1.5.0.
    - Minor bug fixes for Manager methods.
    - Removed the 'Update Inventory' button in the Token registration admin page.
    - SQL audit log displays which Token instance was used in an authentication success.
    - Fixed client-filtered RADIUS reply attributes not working with client aliases.
    - Renamed the service 'MFA Authentication Server'.
    - Allow Emergency OTP longer then the configured OTP length.
    - Added a 'NOLOCK' option to disable transaction locks (for server status polling).
    - Prevent administrators from registering an OTP Token or U2F Device on a slot which
      is already registered. Administrators need to un-register first.
    - OTP prefix must be numeric characters.
    - SMS Sender ID can contain any printable characters.
    - Prefetched SMS/Email message uses Service Name instead the Client Name.
    - Fixed RADIUS reply data filter not working for client policies with friendly names.
    - Fixed software token expiration not working in challenged mode.
    - Fixed wrong log IDs (in log files) after recieving the U2F challenge response.
    - Added the %GROUPS% variable to the Authe Success URL setting.
    - Added a configuration for fetching RADIUS reply attributes from a web service URL.
      > Multiple URLs can be used for high-availablity (requests are sent in parallel).
      > The response must contain comma-separated dictionary-enabled RADIUS value-pairs.
      > It is possible to return binary attribures in HEX with a '0x' prefix.
    
1.2.3
    - Added a RADIUS attributes' editor (replaced the ReplyData setting).
      > You need OpenOTP RADIUS Bridge v1.2.4 with this version of OpenOTP if you are
        using RADIUS attributes in ReplyData.
    - Added product categorization for WebADM v1.4.5.
    - Remove resynchronization for Yubikeys which is not necessary.
    - Added an option allowing self-services to request MFA authentication only if when
      an MFA method is usable (used by Self-Service Desk).
    - Added an option to disable transaction locks for stress tests.
    - Added OpenOTP service stress test tools in docs/stresstest/.

1.2.2
    - Admins can optionally set friendly names or short descriptions for U2F devices.
    - U2F uses embedded javascript and does not require the Google Chrome extension.
    - Fixed challenge session broken with no domain ID (default domain).
    - Fixed Manager method Domain Report ignoring domain parameter.
    - Added new variables to the challenge message template (USERNAME, USERID, USERDN).
    - Added an option to return the U2F reg data to the Windows Credential Provider.
    - Added support for private YubiCloud validation services.
    - Added support for WebADM user_level configurations in webadm.conf.
    - fixed SMSHub requests issues with multiple mobile numbers.
    - Enhanced the Token registration pages.
    - Fixed PSKC export failing with error "Only super admins can export PSKC".
    - Added automatic addition of YubiCloud Tokens in the Inventory during registration.
      > YubiCloud Tokens assigned to a user cannot be registered to another user anymore.

1.2.1
    - This version is designed for WebADM v1.4 and is not compatbile with v1.3.
    - Added support for WebADM 1.4 admin roles for admin pages and manager methods.
    - Changed the SOAP encoding to RPC-literal for better compatibility with languages.
      > The API remains fully compatible the previous RPC-encoded format.
    - Added support for the %USERID% and %USERDN% variables in user message templates.
    - OTP replay protection is enforced even if LDAP or PIN factors have failed.
    - Added support for contextual authentication with trusted sources and device IDs.
      See the 'Trusted Sources & Devices' setting in OpenOTP configurations for details.
    - Added support for national mobile phone numbers with Clickatell SMSC.
    - Allow U2F devices without an embedded X.509 certificate.
    - More efficient SMS & Mail prefetching mode.
    - Added automatic re-syncronization of time-based Tokens for TOTP, mOTP and OCRA.
      > Token time offset is auto-adjusted based on statistics to deal with time drift.
    - Fixed Token resyncronization and PIN change not available with more than 3 Tokens.
    - Added support for Plivo online SMS service (http://www.plivo.com).
    - Fixed international mobile number formating issues.
    - Added support for OATH tokens supporting MD5 algorithm (ex. RedHat FreeOTP).
    - U2F method is automatically disabled when challenge mode is not supported.
    - The Auth Success URL can optionally return some reply data in JSON format.
      > If present these additional data are merged with the user/group reply data.
    - It is not possible to register an inventoried Token which is already registered on
      another user. The Token must be unlinked first from the Inventory.
    - When password concatenation was used, the openotpLogin response returns the length
      the the LDAP password in the 'concat' SOAP parameter.

1.2.0
    - Added full support of the U2F specification from FIDO Alliance (see documentation).
      > OpenOTP supports OTP and FIDO U2F authentication to be used concurrently.
      > MFA Login Mode is added for a combined support of OTP and U2F challenges.
      > The OpenOTP API has been changed and remains backward-compatible with v1.1.
        Please review the OpenOTP WSDL specification (openotp.wsdl) file for changes.
    - Re-organized graphical configuration sections.
    - Fixed openotp_token_qrcode Manager method issues with key sizes other than 160bits.
    - Removed the settings to enable/disable status requests. Status is always enabled.
    - Many code changes and optimizations.

1.1.5
    - Added support for Software Token expiration time and auto re-enrolment.
      > A new error message has been added to inform users when their Token has expired.
      > A default/user setting allows to configure the Software Token expiration time.
      > Manager method are added in order to set/check Token expiration.
    - Added support for several Tokens enrolment with Google Authenticator.
    - Added a new setting to 'Enable User Login' to enable/disable OpenOTP for some users.
      > This setting replaces the 'DISABLED' Login Mode choice which is now removed.
      > Be sure to reconfigure all the users having their LoginMode set to DISABLED!
    - An already registered token cannot be registered twice on the same account.
    - In Manager method emerg_register, the 'time' is renamed to 'expires'.
    - Added support for Application Passwords like in Google 2FA model:
      When enabled, users can alternatively login with per-client application passwords.
      These are long and expirable random passwords to be generated in the Self-Services.
    
1.1.4
    - Added support for hardware encryption with Yubico YubiHSM.
      HSM hardware cryptography is currently used for:
      > Token seed generation.
      > SMS / Mail passwords and OCRA Challenges.
      > Token seed storage in the user metadata (AES-256-CBC mode).
    - Statistic user metadata are stored unencrypted.
    - OpenOTP assumes password de-concatenation with simpleLogin requests when Challenged
      OTP support is disabled.
      > You do not need anymore to configure password modes in RadiusBridge. Simply keep
      the default mode '0' and configure a Client Policy with Challenge Support disabled.
    - Added the possibility to combine LastOTP with the last used client IP.
    - Added support for password de-contenation at the OTP server level when the client
      is configured not to support challenged OTP (with setting 'OTP Challenge Support').
    - Added the possiblibity to call a Web service URL to inform of a user login success.
    - Added actions for Admin and WebApps to de-activate and re-activate user Tokens.

1.1.3
    - ReplyData from groups are combined with the user values.
    - Fixed issues with the report tool in (in bin/report).
    - Added Manager methods to get user statistics (like with the bin/report tool).
      > Method 'OpenOTP.User_Report' gets statistics for a user DN.
      > Method 'OpenOTP.Domain_Report' gets statistics for all users within a domain.
      The Manager method 'User_Report' can report the user blocking status.
    - Added user notification via email and/or SMS when a user account gets blocked.
    - Fixed some issues with the PSKC import tool.
    - Added Yubikey registration with WebADM Inventory (simply by pressing the Yubikey).
    - Added support for YubiCloud OTP validation service from Yubico.
    - The Manager method Yubikey_Register includes a mandatory parameter for public ID.
    - Added 'bin/yubi2inv' script to convert Yubikey CSV files to WebADM Token Inventory.
    - All the Web APIs support the 'lang' HTTP-GET parameter to force a language code.
      > Forcing a language overrides the user language defined in a language attribute.
    - Fixed user blocking emails (Send Blocking Email) not working correctly with challenges.
    - Changed the list of allowed values for Max Tries setting (from 0 to 10).
    - Added a Manager method 'User_Methods' allowing to get the user OTP methods (OTPType).
      which are usable for a user.

1.1.2
    - New application architecture designed for WebADM v1.2.6.
    - Fixed Manager function Token_QRCode where HOTP and TOTP QR URIs are inverted.
    - Fixed challenge started instead of a failure on SMSC failure with OTP-only mode.
    - Added detection of expired Active Directory passwords.
    - Added support for client's friendly name to be displayed in challenge messages.
    - Adapted some admin page layouts for WebADM v1.2.5.
    - Reduced the challenge session ID length for better compatibility with RADIUS clients.
    - Added support for SafeNet eToken PASS OATH.
    - Fixed a bug with the registration of inventoried OCRA Tokens.
    - JSON API can be used in restful mode.
    - Fixed a wrong error message when a user session has been overridden and when the
      Challenge Session Lock option is disabled.
    - Added some help to the Manager interface methods (accessible under WebADM Infos menu).
    - Fixed the Manager method Prefix_Register not working.
    - OpenOTP honors ActiveDirectory account disabled flag.
    - Performance optimizations.

1.1.1
    - Added simple Hardware Token registration with serial numbers. This registration mode
      is highly recommended when dealing with large amounts of Hardware Tokens.
      It uses the WebADM Inventory. Token must also be imported to the Inventory.
    - Added the ability to use PIN+OTP in the LDAPOTP and OTP Login Modes.
      > Allows OTP passwords to be prefixed with a per-user alpha-numeric static PIN code.
      > 'OTP Prefix Required' setting must be enabled and users must register an OTP Prefix.
    - More checks on values for new PIN Code, OTP Prefix and Emergency OTP.
    - The bin/pskc tool now exports Tokan data to Inventory CSV format.
    - The graphical PSKC import tool can exports Tokan data to Inventory CSV format.
    - OATH-OCRA Tokens support alphanumeric PIN codes.
    - Fixed PSKC exports.
    - Added the Block_Start Manager function to force blocking a user.
    - Fixed a minor issue with LASTOTP expiration time.
    - Fixed bin/report tool with multi-Tokens.

1.1.0
    - Any combination of OTPType and OTPFallback is now possible.
    - Added support for second and third Tokens.
      > OpenOTP is now able to handle up to three registered Tokens per user.
    - Enhancements to the user blocking system.
    - Enhancements to the OCRA algorithm.
    - Enhancements to the Password List display.
    - Added an option not to display the Password List' OTP ID in the challenge message.
    - OTP length 4 digits is removed.
    - Added the OpenOTPSimpleLogin API method for a simpler integration with client systems
      which are able to send only one password at a time.
    - Removed the Auto Password Swapping setting. This feature becomes obsolet with the
      openotpSimpleLogin API method.
    - Better file-based logging.
    - Major code rewrites and optimizations.

1.0.17
     - Added support for location-based policies in WebADM 1.2.3.
     - Added 'source' field to the API (please update your client implementations).
     - Removed commonly misinterpreted user locking log event.
     - Challenge Session Lock setting can be defined per user.
     - Improved login failure timer system.
     - Fixed a wrong SOAP parameter name in the SMSHub WDSL file.
       > Please update SMSHub to 1.0.9 with this version of OpenOTP.
     - Fixed a bug with OCRA (RFC-6287) Tokens.
     - Fixed PSKC Token import issues with some vendor's PSKC files.
     - Added XML-RPC API.
     - Multiple code enhancements.
     
1.0.16
     - Added support for newer WebADM 1.2.1 licensing.
     - Added a setting to enable user blocking alerts.
     - SMSOTP and MailOTP supports users with multiple mobile numbers and email addresses.
     - Added a setting to customize the mail OTP subject.
     - Enhanced the user account unblocking action in WebADM Admin portal.
     - Added a Manager method for checking user account blocking status.
     - Fixed a wrong session expiration display in the soapd.log file.
     - Handle SMS concatenation for messages larger than 140 characters.
     - Fixed a problem in HOTP manual resynchronization with wrong OTP sequence entered.
     - Fixed a problem with JSON APIs and SMS OTP.
     - Fixed a problem with the PSCK token export.
     - New requests are allowed when a session is already started after a delay of 5 seconds.
       > Existing challenge session is dropped and the user does not have to wait for the
       challenge timeout to expire.
       > It is possible to activate the session duplicate protection for increased security
       with the new Challenge Session Lock setting.
     - Added a 'Service Name' setting to customize the Google Authenticator display name.
     - Added PDF OTP list export.

1.0.15
     - Updated for WebADM 1.2.
     - Added JSON-RPC 2.0 API.
     - Added support for WebADM 1.2.x Manager interface.
     
1.0.14
     - Fixed soapd.log displaying user password with SMSHub errors.
     - Uses the WebADM-1.1.3 email framework for MailOTP.
     - Added authentication failures count in user data (RejectCount).
     - Added JSON Web service API.
     - Fixed a WSDL namespace issue when imported in VisualStudio .NET.
     - Major code rewrites and optimizations.
     - Major fallback OTP enhancements.
       > TOKEN, LIST and LASTOTP fallback methods are now allowed with any OTPType.
       > The fallback is automatically disabled if the user data are missing.
     - SMS and Mail OTP support prefetched delivery mode (next OTP is send after login).
     - LASTOTP have an expiration time.

1.0.13
     - Fixed OCRA problems with numeric challenges.
     - Enhancements compatible with WebADM 1.1.2.
     - Added an user action to re-activate blocked accounts.
     - Added password swapping feature for simpler RADIUS and PAM support.
     - Added emergency OTP password feature. Administrators can set an emergency OTP for users
       which cannot use their usual OTP Type and require access. Emergency passwords replace
       usual OTP for a configurable time period. After the period the OTP Type is restored.
     - Added an action to unregister a user Token (in the Register Token page).
     - Enhanced SMS/Mail OTP fallback system.
       > With TOKEN and LIST fallback modes, OpenOTP accepts both SMS/Mail and fallback OTPs.
         Users can now use their TOKEN or LIST fallback OTP when they do not receive the SMS,
         even when the SMSC acknowledged SMS delivery.
     - LastOTP user data stores OTP hash instead of OTP value.
     - Fixed PSKC import with OCRA Tokens.

1.0.12
     - Added RADIUS proxy functionality to ease migration to OpenOTP from another solution.
     - Fixed a problem with the PSKC import tool (bin/pskc).
     - Internal code enhancements and better error handling.
     - Added SHA256 and SHA512 key registration support for TOTP/OCRA Tokens.
     - Rewrited PSKC import tools to comly with IETF RFC-6030.
     - Added PSKC export to backup user Token information.
     - Added Client policies support for Trust domains.
     - Added support for WebADM Client objects with a default domain setting.
       > The openotpChallenge SOAP request method contains a new 'client' optional attribute.
         The client must be specified if the request contains no domain field and if a WebADM
         Client exists and has a Default Domain setting.
       > The WebApps: SelfDesk, SelfReg and OpenID must be updated to the latest version.
     - Updated documentations.

1.0.11
     - Added OTP List support.
     - Fixed minor text export problems for PSKC and OTP List.
     - Re-arranged setting list for better visibility.
     - Added -FALLBACK in challenge message in fallback mode.

1.0.10
     - Added OATH OCRA (Challenge Response) Token support.
     - Corrected 32bit OATH-HOTP counter limitation.
     - Added SHA256 and SHA512 algorithms for HOTP/TOTP.
     - Added possibility to register HOTP with hex counter.
     - Added TOTP resync utility.
       > OpenOTP computes the Token time offset and keeps the offset for OTP culculations.
     - Corrected a Fallback problem.
     - Corrected a BlockTime problem.
     
1.0.9
     - Modified openotpChallenge API (see release notes for details).
     - Enhanced internal session handling.
     - Added Google Authenticator support with QRCode registration.
     - OpenOTP Token register enhancements.
     - Added QR Barcode-based Token key registration.
     - Fixed a Token change PIN bug.
     - Fixed Trust forwarding with remote domain name different than local domain name.
     - Added a web service setting to enable per-request user settings.
     - Added Data field in OpenOTP SOAP responses.
       Reply Data can be set on a LDAP user or group. It is used in
       Radius Bridge to send filtering data to a RADIUS client.
     - Client ID is now forwarded to SMSHub.
     
1.0.8
     - SMSC URL setting is renamed to SMS Address like in SMSHub.
     - Added more request parameter checks and error messages via SOAP faults.
     - Added Block Time settings to block users for an amount of time after n login failures.
     - Added a setting to activate the LDAP password protection by sending fake challenges in
       LDAPOTP Login Mode. The protection sends back SOAP challenges when LDAP password
       failed, but does not send the SMS or email OTP. When activated the hacker cannot know
       if he entered the good LDAP password or not.
     - Request Blocking Timer setting is renamed Failure Blocking Timer.
     - Minor corrections.
     
1.0.7
     - Time-based Tokens algorithm enhancements.
     - Replaced SMSFallback setting by OTPFallback setting.
       Fallback is available for SMS and Mail and supports Token, SMS, Mail and LastOTP.
     - Added mail alerts for SMSC, mail, Trust or internal errors.
     - Added AccountLocked message.
     - Added more user setting consistency checks.
     - User data values are hidden in SOAP log.
     - More Token settings are ajustable per user.
     - Added SOAP fault handling.
     - Added PSKC key import system.
     
1.0.6
     This OpenOTP version requires a license file.
     Without license, it is limited to 15 users.
     Requires WebADM >= 1.0.5.
     - WebADM Trust Domains support (requires license).
     - Added SMS fallback with MailOTP.
     - Fixed SOAP faults handling problems.
     - Fixed a problem with OATH-TOTP.
     - Added SMS fallback to MailOTP.
     - Added email alerts.
     
1.0.5
     - Time-based Tokens replay protection enhancements.
     - Added Yubico YubiKey support.
     - Fixed a bug in the mOTP registration export functions.
     
1.0.4
     - HTTP proxy support for SMS gateways.
     - User sensitive informations are hidden in logs.
     - Fixed a Javacript problem in the Token Register Admin page.
     
1.0.3
     - Support for Mobile-OTP Software Tokens (motp.sourceforge.net).
     - Support for WebADM SMSHub.
     - Uses the new WebADM 1.0.3 user locking.
     - Added a SMSC SOAP URL setting.
     - Added Token PIN change page for MOTP Tokens.
     
1.0.2
     - OpenOTP includes user edition pages to be used in the WebADM admin portal.
       The current admin pages include:
       - Token registration
       - Token Resynchronization
       - User login test
     - SMSType is now a public setting (application level or per-user level).
     - ValidFrom and ValidTo settings are now LDAP-only settings.
     
1.0.1
     - Added account blocking feature.
       You need to edit OpenOTP Configurations and set the AccountBlockedMessage.
     - Fixed a bug in Secure Mail (s/mime) sending functions.
     - Better user certificate handling.
     
1.0.0
     Initial OpenOTP release.