Using Google Authenticator OTP for Windows login

 

System requirements: Windows 7,8,10, 2008, 2012, 2016

The access to your computer or user account is usually password-protected. But sometimes it is not enough, especially, when your data requires high level of confidentiality. You don’t want to provide attackers with the chance to get hold of your most secret stuff your data, don’t you? We has included Google Authenticator and Yubikey HOTP support into Rohos Logon Key. Now Windows login is performed in High-Safety mode by using Time based One Time Password and HOTP codes.

If you have Android, iOS or BlackBerry phones, use Google Authenticator program. Protect your computer with strong OTP password (One Time Password). OTP password – the password generated by special device or program, and it is valid only once and right at the moment it has been generated. And there is no sense to spy on or capture such password. Whenever you try to enter the same password one more time or a bit later i.e. beyond the time interval predetermined – it will be rejected. Each time you log on to your computer, you will be requested an OTP password from your phone.
Integrated into Rohos Logon Key program, Google Authenticator will serve as logon key to your PC.  You will always have your secret password with you in your phone. You won’t have to enter Windows password manually, the program will do it for you. Comfortable and reliable.

How to use Google Authenticator app to log in to your PC?

So, let us take, for example, the Android phone and consider how to set up Rohos Logon Key for Windows using OTP password from Google Authenticator app.

1. Make sure you have Google Authenticator app intalled on your phone. (Googles or Barcode Scanneradditionally may be required for QR code scan).

2. Once the applications installed on the phone, you can start setting up Rohos Logon Key for your computer.

  • Install the latest Rohos Logon Key v3.0  for Windows.
  • Open Rohos Logon > Options dialog and select from the authentication devices list – Google Authenticator (OATH), serving as a security key. Then press OK.

 

  • Open Setup a Key dialog box.
    Here you may display QR-code, copy it into the clipboard or generate HOTP secret key to setup Yubikey.
  • Choose “Google Authenticator” and Click Display QR-code

Rohos Logon Key and Google Authenticator setup

  • Launch in your phone the Google Authenticator application,  scan the barcode.  Then hold your phone in front of the monitor for the barcode to be captured by the program.
  • Optionally you may enter your current Windows password – if you want to replace your Windows login & pwd with only OTP code. This is less secure is some circumstances.
    If you left password field blank – then you will need to use User Name + Password + OTP code for Windows login.
  • Click Enable OTP login button.

Done! From this moment your mobile phone works like access key for your Windows.

It means your mobile phone with Google Otp works like a digital key for windows login and desktop unlock as well

Google Authenticator will provide a computer name for each PC and register the name of Rohos Logon program. Thus, you can set up one phone and use it as a double protection key for any of your computers be it your office computer, your personal notebook or any other PC you work with.

The smart phone screenshot shows that Google Authenticator application has been set up for logging in to two computers. To avoid any confusion the name of the computer will be given above each secret key. To the right of the one-time password there is a 30 second timer’  time for entering the password. Once the time interval has expired, a new password will be generated.

 

 

 

 

3. Enforcing strong 2-factor authentication

You may still login into Windows by using your Windows password as usually or by using Rohos Logon Key icon (by Google Authenticator OTP code).

If you wish to make your Windows authentication more secure you should enable 2-factor authentication in Rohos.

Open Rohos Logon Key > Options dialog and Check  Allow login only by USB key. This will enforce 2-factor authentication for all or selected users.

And now in order to login you need to provide OTP + your Windows password. No one else will be able to login just by password.

4. If you have selected ‘Allow login only by USB Key’ option please set up an ‘Emergency Logon’ option also in order to be able to access Windows in case your phone is not available.

We recommend that you use a two-factor authorization in Windows. In case of two-step authorization in the Windows authentication box you will be requested to enter both OTP one-time key and standard password for Windows. Two-factor authentication logon will provide you with double protection keeping curious and unwanted people away from your data. Or it can stop too smart and tech savvy children from touching your personal info.

 

Note: After setting up Google Authenticator authorization do not forget your phone at home. In case you don’t have your phone with you, you will be able to log in to your computer only through Emergency Logon of Rohos Logon Key. The OTP key will be requested even if your computer boot-up is performed in a safe mode. This prevents your computer from being hacked.

Using Google OTP without  Internet connection.

We’ll need the application of Rohos Logon key, installed on target computer and Google Authenticator on a smartphone. It will be desireble to have USB cable to connect our smartphone to the computer.

  1. Execute Setup Key command. Input your passowrd and click Copy code. Paste this code into a text document. We’ll need only the text, taht goes after  ‘?secret=’
  2. Click Enable OTP logon in Rohos Logon Key application on computer;

  3. Copy this text document onto a smartphone through USB cable or another way.
  4. Launch Google Authenticator on smartphone andl click (+). Select Enter provided Key command.
  5. In /Account name/ write the following : The name of user+@+computer name. For example Igor@office-notebook. The name of the computer you can find in My computer->Properties. If your computer belongs to a domain, the profile will consist of username and domain name.
    Into the field /Enter your key/ paste the code from text document.
  6. Click Add.
    Done!

Now you can use Google Authenticator even without Internet connection on a computer and smartphone.

How to use Yubikey HOTP configuration for Windows Login

You need any Yubikey 2.0 with a free slot configuration and Yubikey Personalization Tool.

First you need to setup Rohos Logon Key:

Execute Options, select Google authenticator(OATH).

1. Open Rohos > Setup a Key

If on your computer was previously installed Google Authenticator with Yubikey, click Disable OTP login.

2. Choose “Yubikey HOTP” and click “Copy secret key for yubikey” – this will copy 20 bytes hex string into clipboard. It should be used later in  Yubikey Personalization Tool.

3. Click Enable OTP login.

Now let’s setup Yubikey with HOTP configuration.

Setting up Yubikey second slot with HOTP by using Yubikey Personalization Tool

Insert Yubikey into PC and open Yubikey Personalization Tool:

  1. Click on “OATH – HOTP” > Advanced button
  2. Select free Configuration Slot. By default slot 2 is free.
  3. Ensure HOTP length is set to 6.
  4. Uncheck the option OATH token Identifier.
  5. Click on “Secret Key” field and paste (Ctrl+A and Ctrl+V) the secret key from clipboard (rohos copied it for you before).
    If there were no 20 chars pasted – copy it again in Rohos Logon Key > Setup USB Key dialog box.
  6. Click “Write Configuration”

Now your YubiKey 2nd slot is ready to be used for Windows Login. You need to restart your PC and Select Rohos Logon Key in welcome screen. Put your cursor in OTP field and long-touch your Yubikey.

Rohos Logon Key accepts both types of HOTP codes –  with or without OATH identifier

cc0062465807101069 or

101069

last 6 digits are verified

Sending OTP codes by SMS to your mobile phone

If you can’t use Google Authenticator app on your mobile phone then Rohos is able to deliver OTP code by SMS to your phone.

How to setup OTP codes delivery by SMS:

1. Please choose one of the available SMS gateway service over the web in your country (this paid service).

2. Set SMS gateway delivery request HTTP URL to Rohos. Rohos > Options > Google Auth, > Options…

3. adjust URL with %phone% and %text% parameters
Here is an example of URL :
innosend.de/gateway/sms.php?id=USERNAME&pw=PASSWORD&text=%text%&empfaenger=%phone%&type=2

in this request url %phone% and %text% will be replaced by user phone number and OTP code text.

4. click “test” button to ensure it works.

In order to allow Rohos to recognize successfully SMS delivery please customize a value in registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Rohos\OtpModule
“SMS-Gate-Success-Value” = “OK” or “Success”

If Rohos will find this string in HTTP reply string it will infor user about successful delivery.

Security benefits of using Google Authenticator for Windows Login

  • Two-factor authentication higher security level of Windows authentication:
    Windows Password + Mobile phone is required for login.
  • No drivers or software are required for YubiKey or OTP by SMS.
  • No USB port needed for Google Authenticator, it works without connection to computer.
  • You may use Google Authenticator,  YubiKey or just Mobile phone in the same time!
  • Possibility for Network Administrator to login in a regular way by using just a password.
  • Secure 2-factor login into Windows Remote Desktop with flexible authentication policy: by user list, group membership or only RDC users.

Rohos Logon Key Download

This update is free for all Rohos Logon Key registered users. But since April v.3.0 update will be paid.


 

Emergency Logon

The program has Emergency Logon feature that helps you to log into Windows in case you lost USB key or forgot PIN code. Click Options, Setup emergency logon:

Select questions and write the answers to login Windows in case if your USB key is stolen or broken.