OpenOTP Authentication Server

Application passwords are long random keys that can be generated by the users in the Self-Services and are specific to a client application. These keys can be used as a replacement to the default login when the application does not support OTP nor FIDO2. The typical use-case is a mail server that is accessed via mobile devices. The mail clients on the devices are configured with the mail server application’s password to avoid entering the OTP password at every connection.

OpenOTP contextual authentication is able to intelligently lower the security requirement for a user login when a trusted context is validated. The trusted login context relies on the user’s IP addresses combined with client device fingerprints. When a login context is trusted, the user logs in with a single factor (the domain password). If a login failure occurs, multi-factor is enforced again.

With OpenOTP QRCode key provisioning, token self-registration has never been so easy. No manual Token configuration or secret key input is required: With OpenOTP Token, users register their Software Token simply by scanning a registration QRCode on their iOS or Android mobile device.

Software Token technologies require the end-user to download the mobile software, enroll the mobile Token on the authentication server, and sometimes resynchronize the OTP generator. OpenOTP includes end-user Web Applications (SelfDesk and SelfReg) for simplifying the deployment of your solution as much as possible. RCDevs’ Self Services provides self-management end-user portals to be published on your corporate or public network.

- The SelfDesk web app allows end-users to self-configure some personal settings, update their account information (ex. mobile number or email address), download, register and re sync their tokens.

- The SelfReg web app allows administrators to trigger a user email with a one-time self-registration URL. By clicking the URL and entering his password, the user can register, re sync and test tokens.

- The Password Reset web app allows users to securely reset their lost or expired Domain passwords with token / SMS OTP, PKI and even FIDO2.

- The Helpdesk web app allows federation of the 1st line of support. The Helpdesk support team can help end-users with basic needs such as changing their password, email, phone number etc... It also gives them access to their tokens and their settings, login history, SSO, SSH and PKI.

OpenOTP complies with the highest security requirements by supporting Hardware Security Modules (HSM). The YubiHSM hardware modules from Yubico (https://www.yubico.com/products/yubihsm/) can be used in order to enforce hardware cryptography in OpenOTP with AES encryption of Token seeds and true random generation for SMS/Email OTPs, OCRA challenges, OTP lists.The use of HSM modules in OpenOTP is 100% transparent and the migration to hardware cryptography can be done at any time without impacting your business. RCDevs WebADM server supports up to 8 HSM modules in the hot-plug mode for fault-tolerance and increased performance.

Trusts are special Domains that do not correspond to a set of local LDAP users but a set of users on a remote OpenOTP installation. The Trust system works like an authentication proxy for remote domains (within a trusted organization) and maps a local virtual Domain name to a remote Domain on another WebADM server.