This article describes a new Credential Provider for Windows Vista/Seven, available in Rohos Logon Key. With this component, Rohos Logon Key adds two-factor authentication for Windows login: USB Key and optional PIN code password.

 

Contents:

  • What is Rohos Credential Provider?
  • Allow to log in only by using USB key
  • Windows Safe Mode support
  • Emergency Logon in case of loss of the USB Key
  • Changing Password
  • Accessing a Windows Remote Desktop with a USB Key
  • Windows Active Directory support
  • User Account Control (UAC) with USB Key
  • Troubleshooting USB key logon

Rohos Logon Key offers complete support for the new Windows Seven authentication.
A new component, Rohos Credential Provider, has been designed specially for Windows Seven. It integrates into the Windows logon screen.

With this component, Rohos Logon Key makes it easy to use USB Flash drive as a new means of hardware-based authentication for Windows login.
Thus, the program solves the problem of “weak passwords” by moving to secure two-factor authentication on the basis of a physical USB key.
Rohos Credential Provider can be used both on individual PCs, and on computers connected to Windows Active Directory.

What is Rohos Credential Provider?

Credential Provider is a special authentication component for Windows Seven, which implements a new user authentication method.

Rohos Credential Provider appears on the Windows logon screen in the form of an icon of a USB key. Connect a configured USB Key, and the Rohos Logon Key  will perform user authorization into Windows. If necessary, it will also request user to enter a PIN code for  the USB drive security (two-factor authentication).

Supported authentication tokens in Rohos Logon Key: USB Flash drive, OTP tokens, PKCS#11 tokens etc…

 

Rohos Credential Provider

Rohos Credential Provider automatically detects your USB drive and reads logon profile data from it. When you press the arrow button, the program scans all connected USB drives and searches for a valid USB Key.

The Option “Allow to log in only by using USB Key”

This option makes Windows login possible only by means of the USB drive; manual login with passwords becomes impossible both for local and Remote Desktop login.

When this option is ON – Rohos disables existing Credential Provider. Thus, all user icons disappear, and only the Rohos Logon Key green icon remains active.

This function can be configured in the ‘Rohos Options’ dialog box by checking ‘Allow to log in only by using USB key’.

Note: Disabling the standart Credential Provider also affects the following Windows elements:

  • In the User Account Control dialog (requesting the administrator’s password) the administrator’s icon will not be available. Instead you need to use the USB key.

Now whenever you log in, the logon screen will show only the Rohos icon. If the USB flash drive is lost or damaged, you will be able to log in only with the help of ‘Emergency Logon’ function or by Safe Mode.

Note: Safe Mode on default will also be blocked by the program and it will be impossible to login by a regular password entry.

Windows Safe Mode support

When starting Windows Seven in Safe Mode, only the built-in Credential Provider will be available on the logon screen. Other 3rd party credential providers providers do not work in Safe Mode. Rohos Logon Key integrates into the Safe Mode logon screen a special icon of the USB key which performs two tasks:

  1. Allows using the configured USB key for the login.
  2. Disables manual password login when option “Allow to log in only by using USB Key” is ON.

Rohos Credential Provider. Настройка входа только по USB ключу

Safe Mode Support

How Rohos Logon Key works in Safe Mode

Emergency Logon in the case of loss of the USB Drive

‘Emergency Logon’ provides login to Windows, if the USB key is lost or damaged or you forget PIN code.
To use this function, you must simply answer a few questions. Only you should know the answers to these questions – otherwise, access to your account would be open to everybody.
You can configure this function in the main window of the Rohos Logon Key program. (Configure USB drive -> Configure Emergency Logon). This will open a dialogue asking for answers to suggested questions (it is also possible to choose your own questions).

The Emergency Logon also works differently across different versions of Windows. In Windows Vista, clicking the ‘Emergency Logon’ link on the login screen will open a window. In this window you can first choose a user name, and then answer the questions.

 

After this you can:
* Choose a new password – if you want to set up a new password and then continue to use it.
* Leave it blank, to preserve your existing password

After restarting Windows, the login screen will show the user icons that were previously dormant (if you chose the ‘allow to log in only by using USB key’ option). Now you can log in under your name just by entering a simple password.

Changing Windows password

With Rohos Logon Key 2.4 it is possible to change your password by pressing the keys Ctrl + Alt + Del and selecting the option “Change Password”. Once the password is set, it will be immediately synchronized with the USB Key.

If your computer is connected to a Windows Active Directory, then the Update Password policy will be followed as usual. Users will be prompted to change their password on the logon screen.

The ‘Other Credentials’ button on the change password screen allows you to change a password using the standard credentials provider. Please note that this password will not be saved to the USB key.

If the option ‘allow to log in only by using USB key’ is set, users will be unable to set a password using the standard credentials provider in Windows Vista. The ‘Other Credentials’ button will not be shown.

Accessing the Windows Seven Remote Desktop with a USB key

Rohos Logon Key makes it possible to access a Windows Seven Remote Desktop with the help of a USB key connected to your local computer.

NOTE: For this, the USB key must be correctly configured in the key management utility (the Domain field should contain the name of the terminal servers, or “\\Domain Name”

Login Windows Remote Desktop in a secure way by USB key

 

Logon to a Windows Seven computer connected to a Windows Active Directory

Windows authentication by USB key can also be used on computers connected to Windows Active Directory (Windows domain). For this it is necessary to install the Rohos Management tools (freeware), and to correctly configure the USB key.

This is the screenshot for Rohos USB Key manager setting up Usb Key logon profile for AD login:

 

 

Rohos Management Tools

User Account Control (UAC) with USB Key

User Account Control (UAC) automatically limits the permissions of all the programs that the user is going to run. User need to confirm privileged operation or program by his password.

The icon of Rohos Logon Key is already integrated in this dialog:

Rohos Logon Key. Утилита администрирования ключей. Настройка профайла

User Account Control

The administrator’s password for the requested action will be taken from the USB key.

USB key can be configured for two accounts:

  • Regular User – login under regular user without administrative priveleges.
  • Administrator – is used in the User Account Control and the request of the the administrative password.

Now increasing of the permissions works by one click on the button OK, without typing the administrative password each time.

This feature also works on the Remote Desktop.

Note: In case of using the option “Allow to log in only by using USB Key” the administrator’s icon in the given dialog will be absent.

Troubleshooting

It is very important that the username and domain name be correctly written in the Logon profile if the user’s connection is through a domain, since this is often a mistake in authorization

If such an error occurs, the welcome screen will show the user name and domain name, which caused the error. The parentheses contain the username, followed by the name of the computer or domain.

Furthermore, the Administrator can check any key in the USB Key Management utility, and can troubleshoot problems.