Enterprise OTP

Our company recently decided to switch to two-factor authentication for our VPN connections.  Actually, we call it 2.5 factor authentication, because we're using 2 x Something You Have (Token and Certificate) and Something You Know. Anyway, when we initially went down the road of one-time passwords and tokens, we picked a large and well-known commercial token provider, who shall remain nameless.  It was an obvious choice, until some Google searching led me to an open source alternative: LinOTP.

My original reason for looking for alternative OTP solutions was to find one that supported sending tokens via SMS.  LinOTP turned up as one of these, but I quickly found that it had much broader capabilities than that.  In addition to SMS, it supports E-mail tokens, as well as a variety of Smart Phone apps (including Google Authenticator).  There are also a few hardware-based tokens supported.  With the Smart Phone apps and hardware tokens, both event-driven and time-based tokens are supported.  And, with Google Authenticator, configuring the token is as easy as scanning a QR barcode on the screen when you generate the token.

Having discovered these additional capabilities of the system, I moved quickly toward setting it and evaluating it as an option to replace the commercial solution.  Several weeks later, I'm operating my VPN using LinOTP as my authentication backend.  Here are a few more highlights of LinOTP relevant to our implementation:

• Broad support for backend storage.  In our case we used PostgreSQL - which turned out to be an even better choice (read on!)
• Wide variety of options for user resolvers, mainly LDAP-type back ends.  We use eDirectory, which works perfectly, but LinOTP supports Active Directory, openLDAP, and just about any other user storage mechanism.
• Relatively simple install and configuration, basically some development libraries and Python dependencies, and it's done.
• Integration with RADIUS via either the rlm_perl module or a special rlm_linotp2 module.  We're using rlm_perl.
• Relatively easy HA configuration.  Since we're using Postgres for the DB backend, we're able to use Bucardo to do two-way replication of our database between two separate LinOTP servers. eDirectory of course supports replication, so we have redundant LinOTP servers for high availability.
• A fairly complete self-service portal where users can log in and perform various actions related to their tokens, including setting PINs associated with tokens, disable a lost token, etc.
• Interfaces are relatively intuitive - at least as intuitive as the commercial solution that we had begun implementing.

As far as the cost goes, no contest there.  The commercial solution we were implementing would have $75/user for the soft (smart phone) tokens, or $125/user for the hardware tokens.  The tokens are good for three years, so part of that cost would have been recurring over those years.  The LinOTP solution does not cost anything for soft (smart phone tokens), and the only cost for the hardware tokens is the tokens themselves, about $27 for the ones we chose, which are good for five years instead of three.

So, for anyone looking for an OTP solution, I'd suggest investigating LinOTP and see if it works for you.