OpenOTP Authentication Server

OpenOTP Authentication Server

OpenOTP™ Server (Multi-Factor with OTP & FIDO2)

OpenOTP™ is an enterprise-grade user authentication solution based on open standards.

OpenOTP is the most advanced authentication server for your Domain users. It supports the combination of single-factor and multi-factor authentication for user access with One-Time Password technologies (OTP), Mobile Push, FIDO2, Voice Biometrics, PKI and more.
It includes a set of integration plugins and bridges which cover near 100% of the enterprise needs.
OpenOTP is provided as an Enterprise product and a Cloud service, depending on your needs.

Try it Now!

Your solution for
Your solution for
Discover RCDevs OpenOTP Security Suite

Secure all your IT with one solution

RCDevs helps you

Secure your Domain users

OpenOTP Authentication Server - 2FA Multi factor Authentication Server - RCDevs
OpenOTP provides interfaces including SOAP with a WSDL service description file, REST, JSON-RPC, LDAP and RADIUS.

It is very easy to implement OpenOTP One-Time Password and/or FIDO2 functionalities into your existing Web Applications. Additional integration software from RCDevs provides support for Windows, ADFS, Linux, and even Network Access Control (NAC) like WiFi. Integration can be done with SAML2, OpenID Connect and OAuth.

OpenOTP Authentication Server provides the most advanced OTP authentication system supporting simple registration with QRCode scan, Software Token based on OATH standards, and Approve/Deny login with push notifications. For software token registration, you must have an OTP authentication token application installed on your phone (OpenOTP Token recommended).

OpenOTP Token is the official software token to enjoy all features offered by the OpenOTP server (like push login, phishing protection, etc…).
For hardware tokens, any OATH Token based on HOTP, OCRA, or TOTP server works with OpenOTP.

Main Features

Supports any OATH Hardware or Software Token (HOTP, TOTP or OCRA)
Supports Mobile-OTP Software Tokens with PIN code
Supports all Yubikeys from Yubico
Supports FIDO2
Supports SMS, Mail and Secure Mail OTP (on-demand & prefetched)
Secure Token Inventory with easy graphical management in WebADM
Up to 10 simultaneous Tokens per-user (Hardware / Software)
PSKC Hardware Token seed import system (Vasco, Feitian, Gemalto…)
Easy Hardware Token registration via serial number
Easy Software Token registration via QRCode scanning
Intelligent contextual authentication with IP address and device fingerprint
Application-specific password for mobile applications not supporting OTP
SOAP, REST & JSON native APIs over HTTPS with WSDL service description
RADIUS for VPNs and RADIUS-enabled systems (OpenOTP Radius Bridge)
OpenID API for OpenID-enabled websites (OpenID Service Provider)
SAMLv2 IdP with POST redirections and IdP-initiated requests
Domain segregation with mappings to LDAP subtrees or dedicated LDAP
Trust Domains allowing authentication to be relayed to another OTP server
Per-client, group and network authentcation policies
Group-based access control & authentication policies
Support hardware security modules with Yubico YubiHSM
Data consistency with no replication/import/synchronization of LDAP users
Advanced replay attack protection for Tokens
Many configurations adjustable per server, domain, group, user, client
Two-Factor with challenged OTP or password concatenation
Support for both LDAP direct and indirect (Active Directory) groups
Signature of Attached Contract
Voice Biometrics Authentication
Integrated PKI
Fallback OTP Methods
Mobile Badging & Badging IAM Policies
Contextual Authentication
Mobile Push Authentication
RCDevs' OpenOTP Token for Android and iOS provides convenient authentication workflows with mobile push notifications. Our software Token was designed for the best user experience with two additional operating modes: - In standard mode, OpenOTP Token displays a 6 or 8 digit OTP code. - In Mobile Push mode, OpenOTP Token displays an Approve/Deny screen allowing the user to log-in with just one push. Best of all, OpenOTP Token is able to enforce biometric protection and anti-phishing attack notifications using the user's access location.
Application Passwords
Application passwords are long random keys that can be generated by the users in the Self-Service Desk and are specific to a client application. These keys can be used as a replacement to the default login when the application does not support OTP or FIDO2. The typical use-case is a mail server that is accessed via mobile devices. The mail clients on the devices are configured with the mail server application’s password to avoid entering the OTP password at every connection.
Contextual Authentication
OpenOTP contextual authentication is able to intelligently lower the security requirement for a user login when a trusted context is validated. The trusted login context relies on the user’s IP addresses combined with client device fingerprints. When a login context is trusted, the user logs in with a single factor (the domain password). If a login failure occurs, multi-factor is enforced again.
QRCode Key Provisioning
With OpenOTP QRCode key provisioning, token self-registration has never been so easy. No manual Token configuration or secret key input is required: With OpenOTP Token, users register their Software Token simply by scanning a registration QRCode on their iOS or Android mobile device.
OpenOTP Web Apps
Software Token technologies require the end-user to download the mobile software, enroll the mobile Token on the authentication server, and sometimes resynchronize the OTP generator. OpenOTP includes end-user Web Applications (Self-Desk and Self-Reg) to simplify the deployment of your solution as much as possible. RCDevs’ Self Services provide self-management end-user portals to be published on your corporate or public network.

- The Self-Desk Web App allows end-users to self-configure some personal settings, update their account information (ex. mobile number or email address), download, register and re sync their tokens.

- The Self-Reg Web App allows administrators to trigger a user email with a one-time self-registration URL. By clicking the URL and entering his password, the user can register, re sync and test tokens.

- The Password Reset Web App allows users to securely reset their lost or expired Domain passwords with token / SMS OTP, PKI and even FIDO2.

- The Help-Desk Web App allows federation of the 1st line of support. The Helpdesk support team can help end-users with basic needs such as changing their password, email, phone number etc... It also gives them access to their tokens and their settings, login history, SSO, SSH and PKI.
Hardware Security Modules
OpenOTP complies with the highest security requirements by supporting Hardware Security Modules (HSM). The YubiHSM hardware modules from Yubico ( can be used in order to enforce hardware cryptography in OpenOTP with AES encryption of Token seeds and true random generation for SMS/Email OTPs, OCRA challenges, OTP lists. The use of HSM modules in OpenOTP is 100% transparent and the migration to hardware cryptography can be done at any time without impacting your business. RCDevs WebADM server supports up to 8 HSM modules in the hot-plug mode for fault-tolerance and increased performance.
OpenOTP Trusted Domains
Trusts are special Domains that do not correspond to a set of local LDAP users but a set of users on a remote OpenOTP installation. The Trust system works like an authentication proxy for remote domains (within a trusted organization) and maps a local virtual Domain name to a remote Domain on another WebADM server.
OpenOTP provides interfaces including SOAP, REST, JSON-RPC and RADIUS. The native SOAP API is extremely simple and is provided with a WSDL service description file.

It is also very easy to implement OpenOTP One-Time Password and/or FIDO2 functionalities into your existing Web applications.

Additional integration software from RCDevs provides support for Windows, ADFS, Linux and even WiFi access.

Web Applications (Java, PHP, ASP, Python, .Net…)
VPNs & SSL-VPNs (Checkpoint, Cisco, Nortel, Juniper, F5, Palo-Alto…)
OpenVPN Variants & PFsense + RCDevs MFAVPN
Citrix Access Gateway & Web Interface
Microsoft ADFS & Office 365
Microsoft ADFS (Exchange, Sharepoint…)
Web Products (SugarCRM, Joomla, WordPress, RoundCube, Magento…)
OpenID-Connect and SAMLv2 federate Web Application
Windows login, Terminal Services and RDS (with offline access & optional passwordless)
Cloud Applications (SalesForce, AWS, SharePoint, Google, Office 365, GitLAb, Slack…)
Enterprise WiFi Access (with EAP-GTC and EAP-TTLS-PAP)
Amazon Elastic Compute Cloud (EC2 / AWS)
Any other system (Using our simple integration libraries)
Authentication Plugin for Nextcloud & Owncloud
All legacy application supporting LDAP authentication
SSH server access (via RCDevs SpanKey)