OpenOTP™ Authentication Server

Get The Brochure

Compare OpenOTP

OpenOTP™ is an enterprise-grade user authentication solution based on open technologies. OpenOTP provides multiple (highly configurable) authentication schemes for your LDAP Domain users. The Multi-Factor authentication relies on One-Time Password technologies (OTP) and Universal Second Factor (U2F):

The OpenOTP solution is composed of several components including WebADM, OpenOTP SOAP/XML/JSON Web service, OpenOTP Radius Bridge, the User Self-service Desk and Self-Enrollment end-user Web Applications.

OpenOTP provides an unbeatable combination of cost-efficiency, security and easy of use to corporate and Web application access.

Supported Mobile Devices (Software Tokens)

OpenOTP supports multiple One-Time Password standards (OATH HOTP/TOTP/OCRA, Mobile-OTP, YubiKey, SMSOTP or MailOTP). Software Tokens are provided by various publishers for any mobile platform such as:

Java Phones (J2ME) Windows Mobile, Blackberry, Palm Apple iPhone, iPad Google Android

Click here for a list of compatible Free Software Tokens from various publishers.

Certified Hardware Tokens

OpenOTP supports a large variety of OATH Hardware Tokens from many Token manufacturers.
In fact, any Token working in OATH HOTP/TOTP or OCRA mode is compatible.
RCDevs RC200
c100 | c200
300 | 500
e1010 | t1020 | e2010
Vasco Digipass
GO6 | GO3

Yubikey Standard | Neo FIDO U2F Security Key

Please contact us for Hardware OTP/U2F Solutions.

Where to Use OpenOTP

OpenOTP provides SOAP, XML-RPC, JSON, JSON-RPC and RADIUS interfaces. The SOAP API is provided with a WSDL service description file. It is also very simple to implement OpenOTP One-Time Password functionalities into your existing Web applications. Sample login pages are available in the Downloads section.

You can use OpenOTP with:
  • Web Applications (Java, PHP, ASP, .Net... integration)
  • VPNs (Checkpoint, Cisco, Nortel, Juniper, F5, OpenVPN...)
  • Citrix Access Gateway & Web Interface
  • Microsoft Reverse-Proxies (TMG/UAG)
  • Microsoft ADFS (Exchange, Sharepoint...)
  • Linux PAM (SSH, FTP, OpenVPN, PPTP, POP/IMAP...)
  • Windows Login (Credential Provider for Vista, 7, 8)
  • Web-based Products (SugarCRM, Joomla, Wordpress, RoundCube, Magento...)
  • OpenID-enabled Web Sites (OpenID Provider)
  • SAML and Google Apps (With SimpleSAML Plugin)
  • Amazon Elastic Compute Cloud (EC2)
  • Any other system (Using our simple integration libraries)

QRCode Key Provisioning

With OpenOTP QRCode key provisioning, Token self-registration has never been so easy. No manual Token configuration or secret key input is required:
With Google Authenticator, users register their Software Token simply by scanning a registration barcode on their iPhone or Android mobile.
With Other Software Tokens, users simply scan the displayed Token Key with a barcode reader and copy/paste it to their Token key for registration.

OpenOTP WebApps

Software Token technology requires the end-user to download the mobile software, register the initial Token Key on the authentication server, and sometime to resynchronize the OTP generator.
OpenOTP includes end-user Web Applications (SelfDesk and SelfReg) for simplifying the deployment of your solution as much as possible. SelfDesk is an end-user self-management portal to be plugged into WebADM, and published on your corporate or public network.

SelfDesk allows end-users to self-configure some personal settings, update their account information (ex. mobile number or email address), download, register and resync their Software Tokens.
SelfReg is another WebApp where administrators can send a user email with a one-time self-registration URL. By clicking the URL and entering his password, the user can register, resync and test a software Tokens.

Hardware Security Modules

OpenOTP complies with the highest security requirements by supporting Hardware Security Modules (HSM). The YubiHSM hardware modules from Yubico (https://www.yubico.com/products/yubihsm/) can be used in order to enforce hardware cryptography in OpenOTP with AES encryption of Token seeds and true random generation for SMS/Email OTPs, OCRA challenges, OTP lists.

The use of HSM modules in OpenOTP is 100% transparent and the move to hardware cryptography can be done at any time without impacting your business. RCDevs WebADM server supports up to 8 HSM modules in hot-plug mode for fault-tolerance and increased performances.

OpenOTP Trusted Domains

Trusts are special Domains which do not correspond to a set of local LDAP users but a set of users on a remote OpenOTP installation. The Trust system works like an authentication proxy for remote domains (within a trusted organization) and maps a local virtual Domain name to a remote Domain on another WebADM server.

Other Key Features

  • Supports OATH Event-based (HOTP), Time-based (TOTP) and Challenge-Response (OCRA) One-time Password standards.
  • Supports FIDO Universal Second Factor (U2F).
  • Includes PSKC Hardware Tokens (Vasco, Feitian...) key import system.
  • Includes Hardware Token simple registration via serial number with WebADM Tokens Inventory.
  • Software Software Token simple registration via QRCode scanning with Google Authenticator.
  • Supports Mobile-OTP Software Tokens with PIN Code.
  • Supports Yubikeys from Yubico.
  • Supports SMS, Mail and Secure Mail One-time Password (on-demand & prefetched).
  • SOAP/XML & JSON API (with WSDL service description) over HTTP/HTTPS.
  • RADIUS API for VPNs and RADIUS-compatible devices (See OpenOTP Radius Bridge).
  • OpenID API for OpenID-enabled websites (See OpenID Provider).
  • Domain support with mappings to LDAP subtrees, LDAP groups or dedicated directories.
  • Trust Domains allowing authentication to be securely relayed to another trusted OpenOTP server.
  • Per-client application policies (group-based access control & authentication policy).
  • Support multiple LDAP datasources (at the same time).
  • Support hardware security modules with Yubico YubiHSM.
  • No replication/import/synchronization of LDAP users. Our solutions use your LDAP users and groups.
  • OpenOTP settings (security policies and Token types) can be adjusted per users or groups in LDAP.
  • Built-in replay attack protection for Time-based Tokens.
  • Many configurations available, adjustable per server/domain/group/user/client.
  • Support for both LDAP direct and indirect (Active Directory) groups.
  • Sensitive user data (such as Token keys) are encrypted in LDAP with AES-256.
  • Geolocalization of user accesses with Google map reporting.
  • SMSOTP supports Clickatell, AQL, OVH, Mpulse SMS gateways (with SMSHub).
  • SMSOTP supports any SMPP-TR SMS gateways (with SMSHub).
  • Per user location policies (IP address geolocalisation).
  • Possibility to add any other HTTP or SOAP-based SMS Gateways (with SMSHub).
  • OTP fallback mechanisms for SMS and Mail OTP (works with SMSC or mobile delivery failures).
  • Emergency OTP (auto-expirable password with configurable life-time).
  • PIN-protected OTPs (variable length and format).
  • Includes high availability SMS gateway (SMSHub) for failover, load-balancing and custom SMSCs.
  • User sessions locking and session duplicates protection (for clustered configurations).
  • Customizable end-user messages for emails, SMS, SOAP, RADIUS messages.
  • Full multilingual support for end-user messages with Unicode and UTF-8 (per-user language support).
  • Comprehensive logging and accounting in SQL (accessible from the powerful WebADM Log Viewer).
  • Configurable user blocking timers and blocking policies for authentication failures.
  • Uses WebADM network Session Manager with AES-256 encrypted user sessions.
  • Designed for scalability (supports failover and load-balancing).
  • Easy installation, update and configuration in RCDevs WebADM.
  • Mail and SQL system alerts.
  • True random codes generator.