MultiOTP

multiOTP is an open source PHP class, a command-line tool, and a web interface that can be used to provide an operating-system-independent, strong authentication system. multiOTP is OATH-certified since version 4.1.0 and is developed under the LGPL license. Starting with version 4.3.2.5, multiOTP open source is also available as a virtual appliance—as a standard OVA file, a customized OVA file with open-vm-tools, and also as a virtual machine downloadable file that can run on Microsoft's Hyper-V, a common native hypervisor in Windows computers.^[jargon]

multiOTP
multiOTP open source web interface (5.4.1.7)
Developer	SysCo systèmes de communication sa
Initial release	7 June 2010; 15 years ago (2010-06-07)
Stable release	5.10.0.3 / 4 November 2025; 12 days ago (2025-11-04)
Repository	github.com/multiOTP/multiotp
Written in	PHP
Operating system	Linux, Microsoft Windows
Platform	IA-32, x86-64, ARM, Raspberry Pi
Type	Strong two-factor OTP Authentication server
License	LGPL
Website	www.multiotp.net

A QR code is generated automatically when printing the user-configuration page.

Overview

Spyware, viruses and other hacking technologies or bugs (such as Heartbleed) are regularly used to steal passwords. If a strong two-factor authentication system is used, the stolen passwords cannot be stored and later used because each one-time password is valid for only one authentication session, and will fail if tried a second time.^[1]

multiOTP is a PHP class library. The class can be used with any PHP application using a PHP version of 7.4.0 or higher. The multiOTP library is provided as an all-in-one self-contained file that requires no other includes. If the strong authentication needs to be done from a hardware device instead of an Internet application, a request will go through a RADIUS server which will call the multiOTP command line tool. The implementation is light enough in order to work on limited computers, such as the Raspberry Pi.

History

2010

• Version 1.0.0 of 7 June 2010 was only a basic command line tool called otpauth, already written PHP. The tool has been renamed to multiotp in version 1.1.4 some days later in order to avoid confusion with another project with the same name.
• Version 2.0.0 of 19 July 2010 has been completely rewritten as a PHP class, and the command line tool became an implementation of the class. Under Windows operating systems, the command line tool exists as an executable file including in one file the source code and the PHP interpreter. This version received the phpclasses.org Innovation Award in August 2010.^[2]
• Up to version 3.1.1 of 19 December 2010 enhanced PSKC provisioning, new backend MySQL backend database support.

2011

• Version 3.9.2 of 25 October 2011 is the version that was released for the workshop about integrating strong authentication in Internet applications. This workshop was presented during the Application Security Forum - Western Switzerland 2011 in Yverdon-les-Bains (Switzerland).^[3].
• Up to version 4.0.7 of 30 August 2013 added a lot of enhancements, like a client/server feature with a local cache storage of the definition files of the used tokens, a completely new implementation of the MySQL support (including database tables creation and update), CHAP authentication (in addition to PAP authentication), QRcode generation for direct provisioning in Google Authenticator, and fast creation of a user in a single command.

2013

• Version 4.0.9 of 22 September 2013 was an intermediate release that has been used to demonstrate the concept of strong authentication in several forums like a Rump Session during the Application Security Forum - Western Switzerland 2013 in Yverdon-les-Bains (Switzerland)^[4] and 45 minutes talk during the Studerus Technology Forum (TEFO) 2013 in Zürich (Switzerland).^[5]
• Version 4.1.0 of 23 December 2013 is finally OATH certified for HOTP and TOTP, which means full compatibility with certified hardware tokens, including encrypted PSKC provisioning files. This beta version has been used for a 30 minutes talk during the PasswordsCon 2013 in Bergen (Norway).^[6][7] Instructions and all necessary files to build a strong authentication server device on a Raspberry Pi nano-computer are included. Self-registration of unattributed hardware tokens and automatic resync/unlock during authentication have also been added, and a basic web interface is now also available.

2014

• Up to version 4.3.1.1 of 15 December 2014 supported MS-CHAP and MS-CHAPv2 protocols, added Active Directory / LDAP support in order to create accounts based on users present in a particular group, enhanced web interface in order to import hardware tokens, create accounts, synchronize tokens or unlock accounts. An extended support of TekRADIUS was added in order to send back some particular informations, which is useful for MS-CHAP or MS-CHAPv2 connections. It is now also possible to define in configuration file which fields must be encrypted or not. Some external classes have been updated or replaced, and a lot of new QA tests have been added, both for PHP class and command line versions. Added simple CSV file tokens import. Added AD/LDAP password support (instead of static PIN only). It also added Yubico OTP, including keys import using the log file provided by the Yubico Personalization Tool. Added a special CLI proxy in order to speed up the Raspberry Pi implementation. Generic LDAP support had been added (like Synology and every Linux based implementation). Used the 4. November 2014 during a training of the Application Security Forum - Western Switzerland 2014 in Yverdon-les-Bains (Switzerland).^[8]. The multiOTP project is now also available on GitHub.^[9]

2015

• Up to version 4.3.2.4 of 24 June 2015 Automatized the support of multi_account when synchronizing with AD/LDAP. Ready to use virtual appliance is now provided in standard OVA format, with open-vm-tools integrated and also in Hyper-V format. Presented during the Dev(Talks): 2015 in Bucharest (Romania).^[10]

2016

• Up to version 5.0.3.0 of 14 November 2016 added Dial-In IP address support (including the synchronisation with the Active Directory msRADIUSFramedIPAddress attribute), enhanced token importation process with binary encryption key support, and enhanced several options.

2017

• Up to version 5.0.5.6 of 4 November 2017 enhanced the AD/LDAP synchronisation process for huge AD/LDAP directories by using by default disk caching in the system temporary folder. Several CLI commands can now be done at once. Added PostgreSQL support, based on source code provided by Frank van der Aa

2018

• Up to version 5.4.0.2 of 13 November 2018 enhanced import of PSKC definition files with binary decoding key file and added the support for several SMS provider (Swisscom LA REST, Afilnet, Clickatell2, eCall, Nexmo, NowSMS, SMSEagle and custom SMS). Dockerfile is now provided.

2019

• Up to version 5.4.1.8 of 29 March 2019 added Access-Challenge support. Added Raspberry Pi 3B+ support. Added Debian 9.x (stretch) support.

2020

• Up to version 5.8.0.2 of 20 September 2020 added generic web based SMS provider definition, automatic purge of inexistent AD/LDAP users and support for Debian Buster 10.5, PHP 7.3 and Raspberry PI 4B.

2021

• Up to version 5.8.3.2 of 18 November 2021 : enhanced multiOTP Credential Provider support, added new VM support (Debian Bullseye 11.0, PHP 7.4, FreeRADIUS 3.0.21, Nginx 1.18.0), added compatibility with new multiOTP Credential Provider, detected Credential Provider Request and force the no prefix option, added eDirectory LDAP server support, disabled weak SSL ciphers, enhanced Docker support, fixed some specific HOTP/TOTP computation error.

2022

• Up to version 5.9.5.3 of 31 December 2022 enhanced multiOTP Credential Provider support, enhanced SMS library, supported special Without2FA group, fixed various issues, added support for Hyper-V, enhanced Docker support also for Synology, added Raspberry Pi Debian Bullseye 11 support.

2023

• Up to version 5.9.7.1 of 3 December 2023 enhanced AD/LDAP paging support, added customized AD/LDAP filter, added on-premises open-source smsgateway support, enhanced backup process, enhanced Raspberry Pi support, added documentation for Linux SSH login, updated several internal tools, enhanced Windows version with new and updated tools, added some command line options.

2024

• Up to version 5.9.8.0 of 26 August 2024 added new SMS provider support, added PHP 8.2+ support, cleaned deprecated PHP 8.2+ code.

2025

• Up to version 5.10.0.3 of 3 November 2025 added Message-Authenticator support as requested at least for FortiGate v7.2.10+, enhanced multiOTP Credential Provider support, cleaned deprecated PHP 8.2+ code, added Debian Trixie 13 support, added push support with multiOTP token App and multiOTP gateway service, added various configuration options.

2026

• Version 6.x completely new web GUI, based on VueJS/Vuetify.

Features

For Windows, the multiOTP library is provided with a pre-configured RADIUS server (freeradius) which can be installed as a service. A pre-configured web service (based on mongoose) can also be installed as a service and is needed if we want to use the multiOTP library in a client/server configuration. Under Linux, the readme.txt file provided with the library indicates what should be done in order to configure the RADIUS server and the web service. All necessary files and instructions are also provided to make a strong authentication device using a Raspberry Pi nano-computer. Since version 4.3.2.5, ready to use virtual appliance is provided in standard OVA format, with open-vm-tools integrated and also in Hyper-V format. The client can strongly authenticate on an application or a device using different methods:

• software tokens (like Google Authenticator)
• hardware tokens (any OATH/HOTP and OATH/TOTP certified token, like NagraID tokens, and some other non-certified but compatible tokens, like Feitian C200 time based tokens)
• code sent per SMS (since version 4.0.4)
• scratch passwords list (since version 4.0.4)
• YubiKey in proprietary Yubico OTP mode (since version 4.3)
• without2FA for accounts that doesn't need strong authentication (since 5.3)
• using multiOTP token App and multiOTP gateway service, it's possible to have push authentication (since 5.10)

Standardization and normalization

multiOTP is Initiative For Open Authentication certified for HOTP and TOTP and currently supports the following algorithms and RFCs:

• HOTP, HMAC-based one-time password (RFC4226)
• TOTP, time-based one-time password (RFC6238)
• Google Authenticator (OATH/HOTP or OATH/TOTP, base32 seed, QRcode provisioning)
• SMS tokens (using aspsms, clickatell, intellisms, or a local provider)
• PSKC, Additional Portable Symmetric Key Container Algorithm Profiles (RFC6030)
• CHAP, Challenge Handshake Authentication Protocol (RFC1994)
• MS-CHAP, Microsoft PPP CHAP Extensions (RFC2433)
• MS-CHAPv2, Microsoft PPP CHAP Extensions, version 2 (RFC2759)
• Syslog protocol (client; RFC5424)
• SMTP, Simple Mail Transfer Protocol (RFC2821)
• SMTP Service Extension for Secure SMTP over TLS (RFC2487)

Scope of the class

The multiOTP class provides strong authentication functionality and can be used in different strong authentication situations:

• Adding a strong authentication in order to identify a user (to avoid static password)
• Fixing a hardware token at a specific place, and be sure that somebody was there at a specific time (the token code displayed to the user at the specific time will give information about where it was displayed)
• Authenticating a user by sending him a code through SMS, which will validate automatically the mobile phone number of the user
• Creating automatically strong authentication accounts for users present in a specific group of the Active Directory (or LDAP)

Several free projects use the library:

• Since November 2016, the multiOTP team provides an up-to-date Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016, with options like RDP only and UPN name support, called multiOTP Credential Provider,^[11] based on the MultiOneTimePassword Credential Provider^[12] created by Last Squirrel IT.
• ownCloud OTP^[13] is a One Time Password app based on the multiOTP class that add strong authentication to the OwnCloud project, an open source Dropbox alternative.
• 2FA Credential Provider for Windows^[14] is another strong authentication Credential Provider for Windows Login using the multiOTP library.
• The multiOTP class has been used as a learning tool in security demonstrations^[15] and a Bachelor thesis^[16]

See also

• Free and open-source software portal
• Linux portal

• One-time passwords
  • HMAC-based one-time password (HOTP)
  • OPIE Authentication System
  • OTPW
  • Time-based one-time password (TOTP)
• Tokens
• Initiative For Open Authentication (OATH)
• Multi-factor authentication
• Google Authenticator