Using one time passwords for securing login

Jens Bothe08. Dec 2011 | AdministrationUse cases


The practical examples presented in our technical blog ( and now in the expert category in our FAQ blog section serve as a source of ideas and documentation to show what is theoretically possible with OTRS in concrete scenarios or sometimes even for more exotic configurations. All configurations presented here were developed under laboratory conditions as a proof of concept. 

We can only guarantee testing and implementation of these concepts to be error-free and productive if implemented in a workshop with one of our OTRS consultants. Without this, the responsibility lies with the customer himself. Please note that configurations from older OTRS versions may not work in the newer ones.

Sometimes the basic authentication provided by OTRS via database or LDAP is not enough for securing the access to an application. RFC 4226 describes the generation and usage of one time passwords and two way authentication.

To make OTRS using OTP for the login of the agents we need to install mod-authn-otp as apache auth module. After downloading and compiling the module we need to activate it in the apache configuration.

Now we’ll start with the configuration of OTRS to use the OTP mechanism. First we need to tell OTRS to use the authenitfication provided by the webserver.

In these lines need to be added:

# Basic Auth stuff for OTP
    $Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';

No, apache needs the information that for the otrs directory the auth module should be used. So we need to adjust the settings in the otrs.conf webserver config file:

    # set mod_perl2 options
    <Location /otrs>
        ErrorDocument 403 /otrs/
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv
        Order allow,deny
        Allow from all
        AuthType                basic
        AuthName                "Protected OTRS Area"
        AuthBasicProvider       OTP
        Require                 valid-user
        OTPAuthUsersFile        "/etc/otp-users/otp-users"
        OTPAuthMaxLinger        3600

You’ll find some documentation on the used parameters on the mod_authn-otp config page.

Now create the /etc/otp-users/otp-users file with the usernames, the PIN and the key:

HOTP    jb        1234   e942415c9e24768bb193f572fb272a3198def1a3

Don’t forget to change owner to the webserver user and make the directory writable for the webserver. (Also have a look at

You also should set the Lifetime of the OTRS Session to the same value as OTPAuthMaxLinger

Now you’ll need some software for your mobile phone to generate the OTP. I choosed OATH Token for the iPhone, but you’ll find some more here:

After configuring the app, you’ll be able to generate your OTP if needed:

Your email address will not be published. Required fields are marked *