Latch: how it protects our online user accounts

Passwords are still the quintessential form of authentication in different online services, in recent years it is becoming popular and even forcing us to configure a second authentication factor, so that we have to enter a password (something we know) and a code generated by an authenticator app (something we have). With the aim of protecting digital identities, Telefónica’s Eleven Paths team developed the Latch tool, a security addition to protect bank accounts, social networks, SSH and OpenVPN servers that we have installed at home or in the company, and many others services that we can configure. Today in this article we are going to explain how to configure one more layer of security, and block access to different services on demand or at a certain time.

Latch: how it protects our online user accounts

What is Latch and what is it for?

Latch is a system that allows us to add an additional layer of protection to digital identities, we have an application for smartphones that allows us to generate temporary one-time codes, like any other authenticator application (Temporal One Time Password), but it also allows us to block Complete access to the account on demand. For example, let’s imagine that at night we are not going to connect to a certain service, such as the SSH server or the OpenVPN server, we can program Latch so that access is blocked (even if the credentials are entered correctly) until we unlock that “latch”. ” of security. The same thing happens if we integrate this system into our WordPress, Drupal and a lot of other software with which it is compatible.

If a cybercriminal is able to get hold of our credentials, username and password, and has some way of “capturing” the temporary one-time code, they will not even be able to log in until we “open” the lock with the application. In addition, in the event that an access attempt is detected, a Push notification will pop up on our smartphone indicating that there has been a login attempt, whether legitimate (it was us) or not legitimate (it was someone who did not we are).


The operation of this tool is similar to two-step authentication, but it is not the same, because Latch allows us to completely block access to the service until we decide to unblock the service and log in. Through a programmer, we have the possibility of turning on or off access to the different services, to keep them “locked” when we do not need to access them, reducing the exhibition surface. The official app for Android and iOS allows us to generate an OTP code (One Time Password) to add additional security, in addition, we also have the possibility of registering different TOTP codes from Google, Microsoft and any service that uses authentication in two Steps.

In the following scheme you can see how Latch works in a simplified way:

General_Latch_Architecture Currently Latch is compatible with a large amount of software to add this security layer, for example, we can configure it in the following operating systems to log in:

  • Linux
  • Unix
  • FreeBSD
  • Windows in its Home, Pro and server versions
  • macOS
  • OpenBSD

We can also integrate it into the following services:

  • Drupal
  • Tour
  • Jenkins
  • Joomla
  • moodle
  • OpenLDAP
  • OpenVPN
  • ownCloud
  • OpenSSH
  • phpMyAdmin
  • PrestaShop
  • wordpress

As you can see, we have full compatibility with a large amount of software, so we will be able to protect a large number of services and equipment, adding this additional layer of security.

Register as a developer

To be able to use Latch as a client, we simply have to download the app for Android and iOS, we have them available in the official Google Play stores and the App Store. Once downloaded, you will have to follow the steps of the service to pair the account with the application.

If you are going to integrate this service in your operating system or in your own services, then you will have to register as a developer, for this you need to access the official website of Latch developers . Once inside, you will be able to see the latest news about the service and also what subscription we want to acquire, however, we have a “Community” version that is totally free for personal use and with certain limitations compared to the “Silver”, “Gold” versions and “Platinum”.

Registration is completely free and necessary for the start-up of the system, although you must take into account the limitations of the “Community” account, which is the only one that is completely free, it includes the following:

We simply have to click on the “Register now” button and then we will follow the registration steps, once done, we have to log in with the credentials that we have just created:

Once we are already registered, if we want to configure Latch on our servers, be it OpenSSH, OpenVPN or in a WordPress that we have, we must create “an application” from the control panel, you must take into account that this service supports almost all operating systems and a large amount of software, you can see this directly in the “Plugins and SDK” section:


Create an app with Latch

On the left side of the administration web we have an option called « My Applications «. In this section is where we can create a new application, edit it and also delete it whenever we want.

The first thing we must do is click on “ Add a new application”, to later use it in the service that we want.


Now we have to indicate a name of the application that we want the service to have, for example, if we are going to protect the OpenSSH SSH server on our server, we have to give it a descriptive name to locate it easily, in our case, we have called the “OpenSSH-this article” application.


By clicking on add application, it will take us to a new menu where we can give it an image, configure if a second authentication factor is required (One Time Password) and it will also show us the application ID, the secret that we must use, and also the name we have given to the application.


The most important thing here is the possibility of choosing a second authentication factor , an OTP key (One Time Password) where we will be asked for the key generated randomly in the mobile terminal. This is ideal to add a layer of security to our service, but it will not always work, it depends on the service where we are going to integrate it. For example, in OpenVPN we cannot use this OTP due to the architecture of the virtual private network server itself, but in OpenSSH it is possible to do so without problems.

In the lower part we can put the contact information of the administrator, his email and contact telephone number, to show it in the alerts that the end user receives, however, these data are totally optional.


When we have configured the application as we want, click on “Save changes” and we will access the main menu where we will have the different applications. We will be able to edit the application, delete it or access the control panel where we will see the login attempts and other information related to security.


Regarding the control panel, it will show us quite important data such as the number of users paired with that specific application, we can also see the blocked access attempts and much more important information to keep our accounts protected.


Once we have created our application, we only have to implement the functionality in our service, be it WordPress, OpenSSH, OpenVPN or any other compatible service.


Use Latch to protect Linux system

Now that we know how Latch works, we know how to create an application and see its status in the control panel, we are going to proceed to configure a Linux operating system, be it Debian, Ubuntu or derivatives, with this service to have it under control access when authenticating in the operating system. We must bear in mind that this service is an additional security measure, it does not replace a good password policy or a good security policy in the system, it is one more addition.

Once we have registered, we must enter the official GitHub of Telefónica where the plugin for authentication in Unix operating systems is located (Linux too, such as Debian or Ubuntu). Once we download the .ZIP, we proceed to copy it and unzip it in the system where we are going to ensure the authentication of the operating system. The first thing we must do is install the typical gcc, make and of course the necessary libraries.

Installation and commissioning

All the commands that we are going to execute are completely necessary to do it with superuser permissions, so we put “sudo” in all of them. You also have the possibility to execute “sudo su” and thus we execute everything as root without the “sudo” in front of it. We install gcc, make and all related libraries:

sudo apt install gcc make libpam0g-dev libssl-dev libcurl4-openssl-dev

When we install everything necessary, we go to the Latch folder for authentication in the operating system, we go into the “Python” folder and rename the file latch-model.conf to latch.conf

cd python/
mv latch-model.conf latch.conf

Now we run the file called “install” as follows:

sudo ./install

It will begin to compile what is necessary for our distribution and later it will install it, in the following screenshot you can see this process:


It is recommended to restart the operating system once it has been installed:

sudo reboot

Once the system has restarted, we proceed with the configuration.

Now we need to edit the latch.conf text file with the application ID and secret information that we have on the developer website.

nano latch.conf

And we edit the file with the following information:


# Configuration file for the latch PAM plugin
# Identify your Application
# Application ID value
app_id = gtqXsLbAFMhxRnvh2kQg
#Secret key value
secret_key = WC22zULbZWFED22mGyq8xBkcQHVcCtBqHJbeF866

Next, you can see a screenshot of how it would be edited:


Once edited we save and close, now we have to pair the mobile device with Latch and the system will start working. 

Link the application with the system

Once we have installed the app on our mobile device, we run it and a wizard will appear that will tell us how it works and what the application is for. After this wizard, we can log in to the app or register a new user if we have not previously registered.

Now we will get a configuration wizard to pair the first service, click on the bottom to provide us with a code and pair the phone with the Linux operating system authentication service.

In the system we have to type the following command by terminal:


In our case we are in /python/ so we have introduced the following command:

sudo pairSYS CODIGO -f latch.conf

Once we execute this order on the computer, it will appear that the service has been paired correctly, below you can see the exact message:


And instantly and automatically, confirmation will appear on our mobile terminal that it has been successfully paired.

At this time we will already have our operating system paired with the app, if we enter the control panel we will be able to see it:


In the mobile application we can block and unblock the service whenever we want, we simply have to drag the padlock of the service to be blocked. This allows us to lock down the Linux based computer or server if we are not using it. If we click on the name we will be able to see the main options provided by the Latch mobile application, such as programming locks at certain times of the day and other options.

As you can see, we have a lot of configuration options available.


Testing performance and safety

Now we are going to simulate that we are a malicious user who wants to access our operating system, we always have the latch closed to have the best possible security, so it will notify us that there has been an access attempt. If we enter the system login and enter the password, a warning will appear on the smartphone saying that someone has tried to access with the latch closed.

If we do not unlock the service we will not be able to log in, we will get an error with the authentication, indicating that the password is incorrect, so even if we put the password correctly it will not let us access.


If we enter the Latch control panel we will see the intrusion attempts we have had, here we do not have any OTP key to log in, we only have the “latch” configured to have security.


This lock only occurs when we are going to log in to the operating system, it does not work if we have already logged in and are using the computer normally. But we will have to re-unlock the service if we need to enter again. If we try to login through the terminal, either in a local console or in the SSH, it will not let us if we have the latch blocked.


Unpair the app and remove it from the operating system

If we want to unpair the app and remove it from the operating system, just execute the following command:

sudo python


In the app we can see that the service has been unpaired correctly, and that it will no longer be available. To uninstall Latch from the system, simply go to the python folder and execute the following command:

sudo python


And then we must restart the operating system so that the changes are applied correctly.

sudo reboot

As you can see, Latch works on Linux operating systems like Debian or Ubuntu is really good, ideal for adding another layer of security.


Configuration for the OpenVPN server

The popular OpenVPN service is also compatible with Latch, so we can protect our server very easily and quickly thanks to this service. The first thing we must do isenter the official Telefónica GitHub where we have the same plugin that we have used before, and we will need exactly the same one to make it work. The process is exactly the same as before, the first thing we have to do is install everything necessary to install it (if you haven’t done it before).

We install gcc, make and then the necessary libraries:

sudo apt-get install gcc make libpam0g-dev libcurl4-openssl-dev libssl-dev

Once we have installed everything necessary, we proceed to go to the Latch for SSH folder that we have unzipped and execute the file called “install” as follows:

sudo ./install

It will begin to compile what is necessary for our distribution and later it will install it, in the following screenshot you can see this process:


It is recommended to restart the OpenVPN service once it has been installed:

sudo /etc/init.d/openvpn restart

Now we have to proceed to the same configuration as before, we rename the file latch-model.conf to latch.conf and edit it to incorporate the application ID and the secret key that we have created in the “My applications” section.

cd python/
mv latch-model.conf latch.conf
nano latch.conf

It would be something like this:

# Configuration file for the latch PAM plugin
# Identify your Application
# Application ID value
app_id = LlUuYfK2d56O4MqJm6rM
# Secret key value
secret_key = gkRgrzHvMROdhtLtHswVqxDQWkv5NkSPu7meB9k7

Below you can see a screenshot of how it would be edited:


Once edited we save and close. Now all we have to do is pair our mobile device with Latch in the system to start working. The process is exactly the same as before for Linux systems.

Once we have it paired, it is mandatory to make an additional configuration in the OpenVPN.conf file that we have to connect, we have to add the following line:


In our case, it looks like this since we have renamed it:

plugin /usr/lib/openvpn/ openvpn

It doesn’t matter in which section of the configuration file you insert this line, it is usually placed at the end of the file. Once everything is installed and configured, if someone tries to connect to the OpenVPN server with the latch closed, the connection will fail and the mobile will be notified of an access attempt. Of course, we must bear in mind that this will work only and exclusively if we have PAM authentication in the system, if we are registering with TLS digital certificates it will not work because PAM is not used.

If someone tries to connect to the OpenVPN server, we will get the following if we have the latch closed, authentication error.


In the Latch control panel we will also see this intrusion attempt:


If we want to configure a second user with Latch and OpenVPN, we can do it without problems, we simply have to follow the steps again with the other new user that we are going to create.

sudo pairOVPN CODIGO -f latch.conf

If you want to unsubscribe the paired user and uninstall everything, you simply have to follow these steps:

sudo python sudo python

And then we will have to restart the OpenVPN service so that everything works correctly again.

In case you want to configure the OpenSSH server with Latch, the procedure is exactly the same as for Linux in general, because OpenSSH itself also uses PAM to authenticate clients.


Latch is an additional security measure for our digital identities, although we currently do not have many public services that use it as a second factor of authentication, we do have the plugins and everything necessary to incorporate it into our own servers, in order to add one more layer of security. Thanks to the compatibility with Linux or FreeBSD operating systems, among others, we will be able to adequately protect these systems by adding a second factor, in addition, it is also compatible with both OpenSSH and OpenVPN, the two quintessential software for setting up an SSH and VPN server, respectively .

Another very positive aspect of Latch is that we have the possibility of registering different services in the TOTP (Temporary One Time Password) section, for example, we can register the Google account, Dropbox, PayPal, Facebook or any other service where we need an authenticator app as a second authentication factor. The good thing is that with our Latch account we will be able to access all the tokens, we don’t need to reconfigure everything if we change our mobile, we will simply have them with our account in the service, since they are directly synchronized with the cloud in Telephone.