MultiOTP

multiOTP
	multiOTP open source web interface (5.4.1.7)
Developer(s)	SysCo systèmes de communication sa
Initial release	7 June 2010;14 years ago
Stable release	5.8.1.1 / 14 March 2021;3 years ago
Written in	PHP
Operating system	Linux, Microsoft Windows
Platform	IA-32, x86-64, ARM, Raspberry Pi
Type	Strong two-factor OTP Authentication server
License	LGPL
Website	www.multiotp.net

Last updated June 23, 2024

multiOTP is an open source PHP class, a command line tool, and a web interface that can be used to provide an operating-system-independent, strong authentication system. multiOTP is OATH-certified since version 4.1.0 and is developed under the LGPL license. Starting with version 4.3.2.5, multiOTP open source is also available as a virtual appliance—as a standard OVA file, a customized OVA file with open-vm-tools, and also as a virtual machine downloadable file that can run on Microsoft's Hyper-V, a common native hypervisor in Windows computers.^{[ jargon ]}

Overview

Spyware, viruses and other hacking technologies or bugs (such as Heartbleed) are regularly used to steal passwords. If a strong two-factor authentication system is used, the stolen passwords cannot be stored and later used because each one-time password is valid for only one authentication session, and will fail if tried a second time.^[1]

multiOTP is a PHP class library. The class can be used with any PHP application using a PHP version of 5.3.0 or higher. The multiOTP library is provided as an all-in-one self-contained file that requires no other includes. If the strong authentication needs to be done from a hardware device instead of an Internet application, a request will go through a RADIUS server which will call the multiOTP command line tool. The implementation is light enough in order to work on limited computers, such as the Raspberry Pi.

History

2010

Version 1.0.0 of 7 June 2010 was only a basic command line tool called otpauth, already written PHP. The tool has been renamed to multiotp in version 1.1.4 some days later in order to avoid confusion with another project with the same name.
Version 2.0.0 of 19 July 2010 has been completely rewritten as a PHP class, and the command line tool became an implementation of the class. Under Windows operating systems, the command line tool exists as an executable file including in one file the source code and the PHP interpreter. This version received the phpclasses.org Innovation Award in August 2010.^[2]
Version 3.0.0 of 2 September 2010 allowed PSKC unencoded provisioning files import and the internal structure had been improved.
Version 3.1.1 of 19 December 2010 allowed data storage in a MySQL backend database.

2011

Version 3.2.0 of 6 July 2011 allowed to authenticate with a generic account and by passing the specific user and the password in the password field (useful if the library is used with a Windows authentication which needs a specific user).
Version 3.9.2 of 25 October 2011 is the version that was released for the workshop about integrating strong authentication in Internet applications. This workshop was presented during the Application Security Forum - Western Switzerland 2011 in Yverdon-les-Bains (Switzerland).^[3] The library has also been used to validate and distribute^[4] the seed of the tokens given by Feitian, the sponsor of the event. Each participant had to give an email address, a mobile phone number, a token serial number and the OTP code displayed on the token, than an encrypted email was sent to the participant and the encryption key was sent by SMS.
Version 4.0.7 of 30 August 2013 added a lot of enhancements, like a client/server feature with a local cache storage of the definition files of the used tokens, a completely new implementation of the MySQL support (including database tables creation and update), CHAP authentication (in addition to PAP authentication), QRcode generation for direct provisioning in Google Authenticator, and fast creation of a user in a single command.

2013

Version 4.0.9 of 22 September 2013 was an intermediate release that has been used to demonstrate the concept of strong authentication in several forums like a Rump Session during the Application Security Forum - Western Switzerland 2013 in Yverdon-les-Bains (Switzerland)^[5] and 45 minutes talk during the Studerus Technology Forum (TEFO) 2013 in Zürich (Switzerland).^[6]
Version 4.1.0 of 23 December 2013 is OATH certified for HOTP and TOTP, which means full compatibility with certified hardware tokens, including encrypted PSKC provisioning files. This beta version has been used for a 30 minutes talk during the PasswordsCon 2013 in Bergen (Norway).^[7]^[8] Instructions and all necessary files to build a strong authentication server device on a Raspberry Pi nano-computer are included. Self-registration of unattributed hardware tokens and automatic resync/unlock during authentication have also been added, and a basic web interface is now also available.

2014

Version 4.1.1 of 20 January 2014 provided some bug fixes and a better support of Microsoft Authenticator. Resyncing a token (using two consecutive OTPs) didn't need the PIN code anymore.
Version 4.2.0 of 7 February 2014 supported MS-CHAP and MS-CHAPv2 protocols.
Version 4.2.1 of 14 February 2014 added Active Directory / LDAP support in order to create accounts based on users present in a particular group.
Version 4.2.2 of 3 March 2014 provided an enhanced web interface in order to import hardware tokens, create accounts, synchronize tokens or unlock accounts. An extended support of TekRADIUS was added in order to send back some particular informations, which is useful for MS-CHAP or MS-CHAPv2 connections.
Version 4.2.3 of 13 March 2014 fixed a bug with the send back to TekRADIUS.
Version 4.2.4 of 30 March 2014 enhanced MySQL backend support and added mysqli support. Since this version, it is also possible to define in configuration file which fields must be encrypted or not. Some external classes have been updated or replaced, and a lot of new QA tests have been added, both for PHP class and command line versions.
Version 4.2.4.1 of 6 April 2014 added NT_KEY support (for FreeRADIUS further handling, like VPN key generation). It is now also possible to import tokens based on a simple CSV file (serial_number;manufacturer;algorithm;seed;digits;interval_or_event). The new option -user-info has also been added, and some bug fixes have been done too.
Version 4.2.4.2 of 13 April 2014 consolidated XML handling with one single library for the whole project. It also fixed a possible bug concerning tokens import based on a simple CSV file.
Version 4.2.4.3 of 12 June 2014 fixed a bug with the SMS provider aspsms.
Version 4.3.0.0 of 4 November 2014 added AD/LDAP password support (instead of static PIN only). It also added Yubico OTP, including keys import using the log file provided by the Yubico Personalization Tool. Synchronization of AD/LDAP users was completely redesigned. This version has been used the 4. November 2014 during a training of the Application Security Forum - Western Switzerland 2014 in Yverdon-les-Bains (Switzerland).^[9]
Version 4.3.1.0 of 9 December 2014 added a special CLI proxy in order to speed up the Raspberry Pi implementation. Generic LDAP support had been added (like Synology and every Linux based implementation). OTP generation with integrated serial number is now also better supported (in PAP). Starting with this version and if activated, the prefix PIN is also needed when using a scratch password. MULTIOTP_PATH environment variable is now supported in order to define where is the root of multiotp (if a specific implementation cannot detect correctly the root directory of multiotp).
Version 4.3.1.1 of 15 December 2014 provided a better LDAP and AD support, handling more fields during synchronizations. The multiOTP project is now also available on Github.^[10]

2015

Version 4.3.2.2 of 9 June 2015 improved some ugly parts (!), added/adapted some default values, allowed the use of minus (-) in the password, enabled by default the -autoresync option, better handled the resync during authentication (directly in the class), enabled by default the server cache and cleaned some log information.
Version 4.3.2.3 of 10 June 2015 contained some web GUI improvements. It was the version presented during the Dev(Talks): 2015 in Bucharest (Romania).^[11]
Version 4.3.2.4 of 24 June 2015 fixed a bug when special characters were used for scratch password generation. It also automatized the support of multi_account when synchronizing with AD/LDAP.
Version 4.3.2.5 of 15 July 2015 changed the behavior of the CLI when it's called without parameter, returning now an error code (30) instead of an information (19). Ready to use virtual appliance is now provided in standard OVA format, with open-vm-tools integrated and also in Hyper-V format.
Version 4.3.2.6 of 18 July 2015 added QRcode generation for mOTP (Mobile-OTP), and a new method is now implemented to read the data of a single user in an array.

2016

Version 5.0.2.5 of 16 October 2016 added better SSL support, ability to select a specific LDAP/AD attribute to synchronize the accounts, better MS-CHAPv2 support, better repeated password handling, YUbicoOTP private ID is now checked, SSL AD/LDAP compatibility with Windows 2012(R2), better AD/LDAP special chars support (RFC4515), new methods to implement asynchronous activities when data is modified in the backend.
Version 5.0.2.6 of 4 November 2016 enhanced log messages, updated some external packages and adapted the backup configuration file format in order to be compatible with commercial edition.
Version 5.0.3.0 of 14 November 2016 added Dial-In IP address support (including the synchronisation with the Active Directory msRADIUSFramedIPAddress attribute), enhanced token importation process with binary encryption key support.

2017

Version 5.0.3.4 of 26 January 2017 enhanced the AD/LDAP synchronisation process for huge AD/LDAP directories by using by default disk caching in the system temporary folder. Several CLI commands can now be done at once. Multiple groups per user is now supported (warning, not all devices support multiple group). The default proposed TOTP/HOTP generator is now FreeOTP (for Android/iOS). Multiple purpose tokens provisioning format PSKCV10 is now supported.
Version 5.0.3.5 of 3 February 2017 fixed some bugs and add the GetUserInfo method.
Version 5.0.3.6 of 21 February 2017 added the support of base32 and raw binary for SetUserTokenSeed and SetTokenSeed methods. The restoreCOnfiguration method has been updated.
Version 5.0.3.7 of 23 February 2017 added some minor enhancements like trimming the group names and handling the Linux folder mode.
Version 5.0.4.4 of 16 May 2017 enhanced the rejection policy without incrementing the error counter for the same replayed token.
Version 5.0.4.5 of 29 May 2017 added PostgreSQL support, based on source code provided by Frank van der Aa
Version 5.0.4.6 of 2 June 2017 redefined with Linux the location of the config, devices, groups, tokens and users folders to be always located in /etc/multiotp/
Version 5.0.4.8 of 6 June 2017 fixed SSL/TLS LDAP failed connection for PHP 7.x
Version 5.0.4.9 of 7 July 2017 fixed some minor bugs and added some TLS configuration methods.
Version 5.0.5.0 of 8 September 2017 removed the use of the nircmd.exe tool due to false virus detection
Version 5.0.5.2 of 29 September 2017 defined the default mOTP generator for Android/iOS to OTP Authenticator.
Version 5.0.5.6 of 4 November 2017 enhanced the FreeRADIUS 3.x documentation and fixed some minor bugs.

2018

Version 5.1.0.3 of 19 February 2018 added expired AD/LDAP password support and better unicode handling. Some enhancements for multiOTP Credential Provider (for Windows) has been done too.
Version 5.1.0.8 of 5 March 2018 enhanced the multiOTP Credential Provider and it's now possible to use registry entries. It fix also the "receive an OTP by SMS" link for Windows 10.
Version 5.1.1.2 of 20 March 2018 provided the first Dockerfile to create a full multiOTP open source server docker.
Version 5.2.0.2 of 16 July 2018 enhanced AD/LDAP support for huge Active Directory, and added Users DN option (which is optional, otherwise Base DN is still used to search users).
Version 5.3.0.0 of 21 August 2018 added multiple "Users DN" (separated by semicolumn) for AD/LDAP synchronization (with additional synchronization debug messages) and a new "without2FA" algorithm if some users just want the prefix password without tokens.
Version 5.3.0.1 of 22 August 2018 added some monitoring fields to have more information about the synchronization process.
Version 5.3.0.3 of 26 August 2018 fixed the restore process in command line edition and enhanced the client/server process.
Version 5.4.0.1 of 14 September 2018 fixed the compatibility mode of the Windows radius server component during installation.
Version 5.4.0.2 of 13 November 2018 enhanced import of PSKC definition files with binary decoding key file and added the support for several SMS provider (Swisscom LA REST, Afilnet, Clickatell2, eCall, Nexmo, NowSMS, SMSEagle and custom SMS).

2019

Version 5.4.1.1 of 7 January 2019 added Raspberry Pi 3B+ support.
Version 5.4.1.4 of 18 January 2019 added Debian 9.x (stretch) support.
Version 5.4.1.6 of 25 January 2019 fixed a NTP DHCP option problem.
Version 5.4.1.7 of 30 January 2019 changed the QRcode generation library and provided a new Raspberry Pi binary image ready to be used for Raspberry Pi 1B/1B+/2B/3B/3B+.
Version 5.4.1.8 of 29 March 2019 added Access-Challenge support.

2020

Version 5.8.0.2 of 20 September 2020 added generic web based SMS provider definition, automatic purge of inexistent AD/LDAP users and support for Debian Buster 10.5, PHP 7.3 and Raspberry PI 4B.

2021

Version 5.8.1.0 of 12 February 2021 enhanced the Web interface with better accounts state information.

Features

For Windows, the multiOTP library is provided with a pre-configured RADIUS server (freeradius) which can be installed as a service. A pre-configured web service (based on mongoose) can also be installed as a service and is needed if we want to use the multiOTP library in a client/server configuration. Under Linux, the readme.txt file provided with the library indicates what should be done in order to configure the RADIUS server and the web service. All necessary files and instructions are also provided to make a strong authentication device using a Raspberry Pi nano-computer. Since version 4.3.2.5, ready to use virtual appliance is provided in standard OVA format, with open-vm-tools integrated and also in Hyper-V format. The client can strongly authenticate on an application or a device using different methods:

software tokens (like Google Authenticator)
hardware tokens (any OATH/HOTP and OATH/TOTP certified token, like NagraID tokens, and some other non-certified but compatible tokens, like Feitian C200 time based tokens)
code sent per SMS (since version 4.0.4)
scratch passwords list (since version 4.0.4)
YubiKey in proprietary Yubico OTP mode (since version 4.3)
without2FA for accounts that doesn't need strong authentication (since 5.3)

Standardization and normalization

multiOTP is Initiative For Open Authentication certified for HOTP and TOTP and currently supports the following algorithms and RFCs:

HOTP, HMAC-based one-time password (RFC4226)
TOTP, time-based one-time password (RFC6238)
Google Authenticator (OATH/HOTP or OATH/TOTP, base32 seed, QRcode provisioning)
SMS tokens (using aspsms, clickatell, intellisms, or a local provider)
PSKC, Additional Portable Symmetric Key Container Algorithm Profiles (RFC6030)
CHAP, Challenge Handshake Authentication Protocol (RFC1994)
MS-CHAP, Microsoft PPP CHAP Extensions (RFC2433)
MS-CHAPv2, Microsoft PPP CHAP Extensions, version 2 (RFC2759)
Syslog protocol (client; RFC5424)
SMTP, Simple Mail Transfer Protocol (RFC2821)
SMTP Service Extension for Secure SMTP over TLS (RFC2487)

Scope of the class

The multiOTP class provides strong authentication functionality and can be used in different strong authentication situations:

Adding a strong authentication in order to identify a user (to avoid static password)
Fixing a hardware token at a specific place, and be sure that somebody was there at a specific time (the token code displayed to the user at the specific time will give information about where it was displayed)
Authenticating a user by sending him a code through SMS, which will validate automatically the mobile phone number of the user
Creating automatically strong authentication accounts for users present in a specific group of the Active Directory (or LDAP)

Several free projects use the library:

Since November 2016, the multiOTP team provides an up-to-date Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016, with options like RDP only and UPN name support, called multiOTP Credential Provider,^[12] based on the MultiOneTimePassword Credential Provider^[13] created by Last Squirrel IT.
ownCloud OTP^[14] is a One Time Password app based on the multiOTP class that add strong authentication to the OwnCloud project, an open source Dropbox alternative.
2FA Credential Provider for Windows^[15] is another strong authentication Credential Provider for Windows Login using the multiOTP library.
The multiOTP class has been used as a learning tool in security demonstrations^[16] and a Bachelor thesis^[17]

Related Research Articles

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. JAAS was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated in version 1.4.

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing a transaction such as a wire transfer.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

HMAC-based one-time password (HOTP) is a one-time password (OTP) algorithm based on HMAC. It is a cornerstone of the Initiative for Open Authentication (OATH).

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) using the current time as a source of uniqueness. As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard RFC 6238.

Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password and HMAC-based one-time password, for authenticating users of software applications.

LinOTP is Linux-based software to manage authentication devices for two-factor authentication with one time passwords. It is implemented as a web service based on the python framework Pylons. Thus it requires a web server to run in.

<span class="mw-page-title-main">YubiKey</span> Hardware authentication device

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end-user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support.

<span class="mw-page-title-main">FreeOTP</span> Free and open-source two-factor authentication app

FreeOTP is a free and open-source authenticator by RedHat. It implements multi-factor authentication using HOTP and TOTP. Tokens can be added by scanning a QR code or by manually entering the token configuration. It is licensed under the Apache 2.0 license, and supports Android and iOS.

privacyIDEA is a two factor authentication system which is multi-tenency- and multi-instance-capable. It is opensource, written in Python and hosted at GitHub. privacyIDEA is a LinOTP's fork from 2014.

The following is a general comparison of OTP applications that are used to generate one-time passwords for two-factor authentication (2FA) systems using the time-based one-time password (TOTP) or the HMAC-based one-time password (HOTP) algorithms.

<span class="mw-page-title-main">OnlyKey</span> Hardware security token

OnlyKey is a multi-function hardware security key combining features of a password manager, two-factor authentication (2FA) token, file encryption token, and secure storage device. The device incorporates hardware storage for password and username combinations, also acting as a portable password manager.

References

↑ Aslan, Ömer; Aktuğ, Semih Serkant; Ozkan-Okay, Merve; Yilmaz, Abdullah Asim; Akin, Erdal (January 2023). "A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and Solutions". Electronics. 12 (6): 1333. doi: 10.3390/electronics12061333 . ISSN 2079-9292.
↑ "multiOTP PHP class: Authenticate and manage OTP strong user tokens". PHPclasses/Icontem. Retrieved 30 October 2013.
↑ "Application Security Forum - Western Switzerland 2011". Application Security Forum - Western Switzerland. Retrieved 30 October 2013.
↑ "ASF-WS 2011 Feitian token seed request". SysCo systèmes de communication sa. Retrieved 30 October 2013.
↑ "Application Security Forum - Western Switzerland 2013". Application Security Forum - Western Switzerland.
↑ "Studerus Technology Forum - TEFO'13". Studerus. Archived from the original on 2013-12-26. Retrieved 2013-12-25.
↑ "PasswordsCon 2013 in Bergen". securelist.com. 2013-12-03. Retrieved 2023-08-20.
↑ "PasswordsCon 2013". PasswordsCon.
↑ "Application Security Forum - Western Switzerland 2014". Application Security Forum - Western Switzerland. 9 August 2014.
↑ multiOTP (2023-08-11), multiOTP open source , retrieved 2023-08-20
↑ "Dev(Talks): 2015". Catalyst (hipo.ro).
↑ "multiOTP Credential Provider". multiOTP team. Retrieved 1 February 2019.
↑ "MultiOneTimePassword Credential Provider". Last Squirrel IT. Retrieved 28 July 2015.
↑ "One Time Password Backend for ownCloud". apps.ownCloud.com Team. Retrieved 30 October 2013.
↑ "2FA Credential Provider for Windows". Fluid Technology Solutions Ltd. Archived from the original on 2 October 2013. Retrieved 30 October 2013.
↑ "Strong Authentication in Web Application - State of the Art 2011" (PDF). Compass Security AG. Retrieved 30 October 2013.
↑ "One-time passwords Bachelor thesis (in Czech)". University of Economics, Prague. Retrieved 30 October 2013.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Aslan, Ömer; Aktuğ, Semih Serkant; Ozkan-Okay, Merve; Yilmaz, Abdullah Asim; Akin, Erdal (January 2023). "A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and Solutions". Electronics. 12 (6): 1333. doi: 10.3390/electronics12061333 . ISSN 2079-9292.

[2] "multiOTP PHP class: Authenticate and manage OTP strong user tokens". PHPclasses/Icontem. Retrieved 30 October 2013.

[3] "Application Security Forum - Western Switzerland 2011". Application Security Forum - Western Switzerland. Retrieved 30 October 2013.

[4] "ASF-WS 2011 Feitian token seed request". SysCo systèmes de communication sa. Retrieved 30 October 2013.

[5] "Application Security Forum - Western Switzerland 2013". Application Security Forum - Western Switzerland.

[6] "Studerus Technology Forum - TEFO'13". Studerus. Archived from the original on 2013-12-26. Retrieved 2013-12-25.

[7] "PasswordsCon 2013 in Bergen". securelist.com. 2013-12-03. Retrieved 2023-08-20.

[8] "PasswordsCon 2013". PasswordsCon.

[9] "Application Security Forum - Western Switzerland 2014". Application Security Forum - Western Switzerland. 9 August 2014.

[10] ultiOTP (2023-08-11), multiOTP open source , retrieved 2023-08-20

[11] "Dev(Talks): 2015". Catalyst (hipo.ro).

[12] "multiOTP Credential Provider". multiOTP team. Retrieved 1 February 2019.

[13] "MultiOneTimePassword Credential Provider". Last Squirrel IT. Retrieved 28 July 2015.

[14] "One Time Password Backend for ownCloud". apps.ownCloud.com Team. Retrieved 30 October 2013.

[15] "2FA Credential Provider for Windows". Fluid Technology Solutions Ltd. Archived from the original on 2 October 2013. Retrieved 30 October 2013.

[16] "Strong Authentication in Web Application - State of the Art 2011" (PDF). Compass Security AG. Retrieved 30 October 2013.

[17] "One-time passwords Bachelor thesis (in Czech)". University of Economics, Prague. Retrieved 30 October 2013.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]