1. Introduction

1.1. System Overview

LinOTP is a framework that provides most flexible authentication with One Time Passwords (OTP). The dimension of flexibility is shown in this section.

1.2. Components

LinOTP consists of several component types.


Components of LinOTP

The components are loadable modules which can be used depending on the setup with the LinOTP core. Since the interfaces for component types are well defined, it is straightforward to implement new components without any impact on the LinOTP core. Such new components can be easily loaded during runtime.

1.3. LinOTP core

This is the central server part, the LinOTP core. LinOTP is implemented in Python and well tested with Python 3.7 and will. It uses Flask for the communication of the other components with the core. Thus the other components like management clients and authentication modules will issue HTTP requests to communicate with the LinOTP core. LinOTP stores all token information in an SQL database. MySQL, PostgreSQL, SQLite, Oracle and DB2 were tested successfully.

1.4. OTP Calculation

The LinOTP core is capable of using different OTP algorithms for calculating the OTP values. Each OTP token is stored with its token type, that identifies how the OTP value is calculated.

At the moment the following types are supported:

  • event based HOTP [1],

  • time based TOTP [2],

  • time based mOTP [3],

  • SMS token,

  • E-Mail token,

  • push token,

  • qr token,

  • RADIUS token,

  • Remote token,

  • daily passwords token,

  • yubikey token

  • static password token,

  • OCRA Token

New modules for new tokens can be plugged in easily. LinOTP is OATH certified for HOTP and TOTP.

1.5. UserIdResolver

LinOTP uses external user stores to identify users to whom tokens get assigned. LinOTP does not modify the user store. A UserIdResolver has a well defined interface. So a new UserIdResolver can be plugged into LinOTP so that users from another user store can be used. LinOTP can use several UserIdResolvers at the same time which can be organized and used in so called “realms”. LinOTP provides a PasswdUserIdResolver to access users from flat files like /etc/passwd, an LDAPIdResolver to use users from LDAP directories like OpenLDAP, Active Directory or Novell eDirectory and SQLUserIdResolver to access users in SQL databases.

1.6. Authentication Modules

LinOTP does not bind you to any authentication method. Although RADIUS (Remote Authentication Dial In User Service) is an often used protocol, it might not fit all the needs or might be sometimes to costly to set up. So LinOTP also provides an interface for authenticating users. At the moment LinOTP provides an authentication module for FreeRADIUS and for the Unix PAM stack (Pluggable Authentication Module). Additionally LinOTP also provides a simple web API.

Again as the LinOTP authentication interface is very lean, other authentication modules can be implemented easily.

1.7. Management Clients

The LinOTP server can be managed in several different ways. There is a command line client for Windows and Linux and a Web UI. All clients can be used for all administrative and token management tasks. Using this management interfaces the LinOTP server and its UserIdResolvers can be configured. Tokens can be imported, enrolled, assigned or disabled. For a detailed feature comparison of the different management clients see Table 1. The WEB UI management client also provides a view to the available users in the configured user store. Of course – as LinOTP only has read access to the user store – the users will not be managed within LinOTP.

1.8. Features of different management clients


CLI management client (linotpadm.py)

Web UI

Manage UserIdResolver



Manage Realms



Manage license


Enroll eTokenNG OTP

Enroll mOTP Token



Import Token XML file



Import PSKC file


Enroll/Assign eTokenPASS and other HOTP Token



Enroll/Assign TOTP tokens



Enroll Simple PASS Token


Enroll SMS Token


Enroll YubiKey


Enroll Remote Token


Enroll RADIUS Token


Manage Tokens (enable, disable, delete, assign, unassign)



Reset Failcounter



Manage Token detailed token settings


mass enroll eToken NG


mass enroll YubiKey


Features of the different management clients

1.9. Licenses

LinOTP and it’s components are either licensed under GNU Affero General Public License (AGPL) Version 3. or GNU General Public License (GPL) Version 2.

The LinOTP logo and the LinOTP Manuals and documentation, “LinOTP Management Guide”, “LinOTP Installation Guide”, “LinOTP User Guide”, “LinOTP Appliance Manual”, “LinOTP Module Development Guide”, are intellectual property and under the copyright of netgo GmbH and can not be used without permission.

1.9.1. LinOTP Server

  • LinOTP server (AGPLv3)

1.9.2. LinOTP Administration Clients (adminclients)

  • LinOTPAdminClientCLI (AGPLv3 : linotpadm.py)

1.9.3. LinOTP Management GUI

  • WebGui (AGPLv3)

1.9.4. LinOTP Authentication Connectors (authmodules)

  • freeradius (GPLv2+ : rlm_linotp2)

  • libpam-linotp (GPLv2+ : pam_linotp.c)

  • freeradius_perl (GPLv2+ : radius_linotp.pm)

  • pam_py_linotp (GPLv2+ : pam_linotp.py, setup.py)

  • simplesamlphp-module (GPLv2+ : copyright)

  • wordpress-php (GPLv2+: linotp.php)

1.9.5. LinOTP User Connectors (UserIdResolver)

  • LDAPIdResolver.py (AGPLv3)

  • PasswdIdResolver.py (AGPLv3)

  • SQLIdResolver.py (AGPLv3)

1.9.6. LinOTP SMS Connectors

  • DeviceSMSProvider.py (AGPLv3)

  • HttpSMSProvider.py (AGPLv3)

  • SmtpSMSProvider.py (AGPLv3)