Rohos Logon Key provides secure 2-factor authentication for Windows Remote Desktop by using Mobile Phone or One-Time-Password tokens.
2-factor authentication variety:
- By using a smartphone with Google Authenticator application;
- When One-Time-Password is delivered to any mobile phone by SMS;
- By using a hardware OTP generator like Yubikey;
- Each user account can be configured with any type of 2-factor authentication mean;
The benefits of 2-factor authentication for Remote Desktop:
- User must provide new OTP code each time for login;
- Each generated OTP code is unique and cannot be duplicated by user;
- Allows to restrict Remote Desktop access by user list or user group;
- You dont need to install Rohos on a client PC/device you log in from;
- 2-factor authentication applied by the List of Users / by the Active Directory group membership / by IP address filter;
Rohos Logon Key allows to access Windows Remote Desktop in a secure way by using the popular and secure One-Time-Password authentication technology replacing weak password based login.
How it works
Rohos Logon Key integrates or replaces Windows Terminal Services authentication provider. It works by adding two-factor authentication level to existing authentication infrastructure. After deployment users can log into remote session only by using 2-factor authentication: OTP code and regular login data.
Rohos Logon Key message requiring 2-factor authentication :
User entering OTP code to continue login into Remote Desktop :
Read next to find out how to configure it.
Installing Rohos Logon Key on Terminal Server
1. Install Rohos Logon Key on the Windows 2008/2012 Terminal Server :
2. Enable 2-factor authentication by using One-Time-Passwords. Open Options and select “Google Authenticator (OATH) ” as the active 2-FA authentication means:
3. Choose a 2-factor authentication policy:
- For a listed users
Only configured users will be required to use 2-factor authentication for login. Any other users will be able to login by a password as usually. The user list is created automatically by “Setup a Key” dialog box. To review the list open “Users and Key” dialog box.
- For ‘rohos’ user group in Active Directory
Each user from ‘rohos’ group will be forced to pass 2-factor authentication during Remote Desktop login.
Please note: ‘rohos’ user group should be created by an Active Directory Administrator ;
- For Remote Desktop login
All Remote Desktop sessions will be required to pass 2-factor authentication;
- For Remote desktop login outside LAN
Only users, who came through the dial-up, DSL connection, and from other networks, will be required to pass 2-factor authentication.
You should have Windows 2003/ 2008/ 2012 Server as your Terminal Server computer to try it.
4. Setup Emergency Login
In order to prevent Terminal Server login lockout due to 2-factor authentication policy we recomend to setup Emergency Login option. This will allows Administrator to login into Terminal Server console/remote desktop by using: UserName, Q&A entry and password. Emergency Login does not require 2-factor authentication. Emergency Login is not required if you have Server Console access possibility.
2-factor authentication is applied individually for each user account. Automated setup is possible only by using “OTP delivery by SMS” option.
In order to setup a 2-factor authentication for a user account open Rohos Logon Key > Setup a Key:
- Select user account;
- Choose the type of One-Time-Password generator user will use;
- Leave password field blank
- Click “Enable OTP login” to apply configuration.
Click “Display QR-Code” and “Copy code” to configure Google Authenticator or send Google Authenticator configuration by email to the user.
When using “OTP by SMS” option:
– Enter mobile phone or ensure there are mobile phone field in User Account properties filled in.
– Ensure to setup SMS gateway support in Options>Google Authenticator options.
Enabling automated 2-factor authentication by SMS
Rohos Logon Key allows to use automated 2-factor authentication for Remote Desktop users. Rohos will automatically sent One-Time-Password code by SMS to user account telephone number during login into Remote Desktop.
Your Terminal Server must meet the following requirement:
- Telephone/mobile number field contains user mobile number of the user;
- Rohos Logon Key is configured with SMS-gateway support
Setting up SMS-gateway
- Please choose one of the available SMS gateway service over the web in your country (this is paid service).
- Set SMS gateway delivery request HTTP URL to Rohos > Options > Google Auth, > Options…
- Adjust URL with %phone% and %text% parameters
Here is an example of URL :
in this request url %phone% and %text% will be replaced by user phone number and OTP code text.
Enter phone number and click “test” button to sent test SMS with OTP code.
Remote Desktop login with SMS authentication enabled:
How to disable or reset 2-factor authentication
There are few ways to disable or reset 2-factor authentication for entire Server or selected User account.
To disable 2-factor authentication policy:
- Uninstalling Rohos Logon Key will restore default password based or pass-thought authentication.
- Setting to “none” option of “Allows to login by USB key” will temporarily disable 2-factor authentication requirement for all users.
To reset/change or disable 2-factor authentication for a user account:
- Removing user account from Rohos AD group may disable 2-factor authentication requirement for the user (just in case of policy “require 2-FA for Rohos group”)
- Open Rohos > Setup a Key dialog box > choose user account > and click disable OTP login. This will reset 2-FA configuration for the user. OTP generator used by the user (Google Authenticator, Yubikey) will became invalid.
- Open Rohos > User and Keys dialog box > find user and delete it from the list. This will disable 2-factor authentication requirement for the user (just in case of policy “require 2-FA for the List of users”)
Enabling 2-FA by using client IP filter
Rohos Logon Key experimental feature allows to filter Remote Desktop connections by client IP address and require 2-FA by IP mask.
How to try 2-FA for Remote Desktop by using IP filter:
- In a Remote Desktop session open Rohos Logon Key > Options.
- Set option “Allow to login only by USB Key” to “For Remote Desktop users outside LAN”.
- By clicking on [?] you can check if Rohos was able to identify your client WAN IP address.
- Specify “LAN IP Filter:” , this should be a prefix of your local LAN. By using this prefix Rohos will be able to differentiate between LAN and WAN connections, and require 2-factor authentication for client with WAN IP.
Licensing Rohos Logon Key
- Rohos Logon Key Server license is required for each Terminal Server host with Rohos Logon Key; Allows to protect unlimited users and have unlimited authentication keys;
- Rohos Logon Key Small Server license allows to protect up to 15 users;
Please note authentication by SMS requires 3rd party SMS gateway service that is not included into Rohos Logon Key.