On July 15th we released LinOTP 3.2, the first stable release of LinOTP 3.

LinOTP 3.2

netgo software GmbH is pleased to announce the availability of the following product release:

LinOTP 3.2 brings many improvements, new features and bugfixes. The following list contains the most important changes to LinOTP 2.

  • See the full changelog of LinOTP 3.0, LinOTP 3.1, and LinOTP 3.2 for more details and the full list of changes and deprecations.
  • See the migration guide in the LinOTP documentation for more details for your upcoming install of LinOTP 3.


  • Python 3 & Flask: LinOTP 3 is based on Python 3 and the main framework was ported from Pylons to Flask to future proof the foundation.
  • New Selfservice: LinOTP 3 ships with a completely new Token Selfservice user interface.
  • Administrative Login: LinOTP 3 ships with a brand new JWT based admin authentication for the Management UI and the administrative APIs.

New Selfservice

  • It completely overhauls the workflow for users to self-manage their own authentication tokens. The new selfservice is installed as a dependency of the LinOTP package.
  • The new selfservice integrates itself into the apache configuration on installation and is the default selfservice of your LinOTP server.
  • The SelfService design from LinOTP 2 is deprecated but still available under it’s own path /selfservice-legacy. You can change the apache configuration to change the default.
  • Footer texts and links to your privacy and imprint informations can be configured by LinOTP policies. The logo image can be changed and the CSS rules can be customized.
  • The new Selfservice supports the workflow of users testing their tokens after enrollment. This verifies the correct functionality of the token and eases future debugging login problems.

Administrative Login

  • LinOTP 3 ships with a brand new JWT based admin authentication for the Management UI and the administrative APIs.
  • It is no longer necessary to configure apache to protect admin access
  • LinOTP 3 no longer uses digest authentication.
  • LinOTP Administrators are now configured in LinOTP itself. Administrators can be configured using the `linotp` CLI command for bootstraping or automation or graphically using the known UserIDResolvers and Realms.
  • The internal administration allows an improved handling of admin policies and permissions based on groups and resolvers

Configuration Files

  • To facilitate the migration to flask and to improve the handling of configuration files in modern environments, LinOTP 3 no longer supports the linotp.ini configuration file format. Instead, a new linotp.cfg file format is in place. See the migration guide for detailed information about the configuration changes.

General Improvements

  • Managed resolvers (Internally stored users) that are managed via "Import users" in the Manage-UI now work with replicated databases, high-availability setups and if restored from database backups.
  • A new 'linotp' CLI replaces different scripts and tools. This improves the integration and feature set of all CLI scenarios. It also provides new features to administrate different parts of LinOTP. See 'linotp --help' for information about the different sub-command groups.
  • The audit trail can now be used with an sqlite database. Note that sqlite still has concurency limitations and we advise you to use a database server for production environments.
  • 'Cross site scripting request forgery (CSRF)' is no longer handled via the session request parameter. The session parameter that was used before should be omitted. API endpoints that are modifying data are restricted to accept only 'POST' requests and must use the new header. See the Migration guide for further details.
  • All providers allow configuring a TIMEOUT parameter.
  • SMS blocking time is now configurable in the SMS token configuration dialog. The blocking time (in seconds) is the period that needs to pass before another challenge can be triggered by the same user.
  • Improved handling of timestamps in logs and reports. The audit trail is now storing ISO 8601 formatted timestamps in UTC timezone instead of server local time.
  • LinOTP 3 now fully relies on the system trusted certificates for TLS security like it is used with LDAP resolvers.
  • Improved handling of encrypted LDAP resolver connections.
  • Specific policies override wildcard policies. This ensures that actions can be restricted for a subset of users.
  • Improved token monitoring and more precise token counting
  • Improved audit log entries
  • Improved integration of supported databases
  • LinOTP 3 supports reencoding of LinOTP 2 databases from ISO 8859-1 (Latin1) to UTF-8 via the LinOTP CLI. Latin1 used to be the default for Python 2 against mysql but is no longer valid for Python 3. The 'linotp.log' will instruct users on how to use the migration command if necessary. The LinOTP Smart Virtual Appliance (SVA 3.0) will automatically apply the reencoding during the restore setup.


LinOTP 3.2 is available as a Debian package from

Users with a support and subscription license can migrate to the new LinOTP Smart Virtual Appliance in version 3.0. An SVA installer ISO download link can be requested from the support team.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at

The LinOTP team

netgo software GmbH
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Siemensdamm 62, 13627 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Clemens Schmidt

Sales Hotline: +49 6151 86086-277, Fax: -299