Registering multiple 2FA users with Google Authenticator configuration delivered by Email

Rohos Management Tools provides a secure way to setup multiple users or authentication devices. Now it is easy to setup a list users with Google Authenticator 2FA. It is also possible to automatically send an email message to each user that includes Google Authentication setup instructions. The most secure way is to use corporate email.

New ways to register multiple user or 2FA tokens: by using CSV file or PowerShell script.

 

New way to setup multiple Keys and Users:

• By using CSV file with the list of Users and 2FA keys serial numbers.
  This method works for the following type of authentication media: PKCS#11 tokens, USB flash drives, Yubikey, RFID tags. This method is designed only for ID only RFID cards like EMarine, HidProx, Indala, etc;
  CSV file format: Username,UID[,password][,PIN code]
  UID – RFID card unique ID (serial number) as it is shown in Rohos Key manager;
  password – user account Windows password (optionally) that will be associated with a 2FA key;
  PIN code – PIN code to be set for Card usage for login (optionally);
• By using the PowerShell script.
  The script allows to :
  – Configure a group of users with Google Authenticator 2FA configuration;
  – Deliver Google Authenticator configuration QR-code url link to the user by Email.
  – Use custom delivery method like SMS or Text File.
  – Resend or Delete 2FA Configuration for the allready registered users.

 

How to register multiple user accounts with Google Authenticator 2FA

Open Rohos Remote Config > Import > “Click here to register users with Google Auth”

This will open Power Shell ISE editor with setupGoogleAuthUsers.ps1 script.

How to edit and run setupGoogleAuthUsers.ps1 script :

1. Create AD group, add users that needs to be configured with Google Authenticator 2FA into that group.
2. Set the group name to $ImportGroupName variable
3. Setup Email delivery options:
   Set $NotifyByEmail = $true, and edit $EmailNotificationText variable with appropriate message.
   Please note: User account email field will be used to get email address for each user;
4. In #Email Settings set $SmtpLogon and $SmtpPassword variables of your email server;
   also set $SmtpServer, $SmtpPort if you are using office365 or other than gmail.
   Script will use email specified in user account.
5. Run script, ensure users have received Google Authenticator OTP configuration by Email with instructions;
6. If you have set “for user group in AD” option in Rohos Remote Config  you need to add these users also into this 2FA group.

Done.

Notes:

• Script writes output to console that includes successfully configured users and notification email address;
• Depending on the 2FA control type selected in Rohos (if set to “for user group in AD”) you need to add these users also into 2FA group name specified in Rohos Logon in order to apply 2FA control on Windows Terminal Server or workstations;
• In order to use gmail, office365 as email delivery service you need to setup your gmail settings: “Allow less secure apps”
  https://support.google.com/accounts/answer/6010255?hl=en
  https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-3

Learn more about Rohos Management Tools>

How to use Rohos Logon Key 2FA in Windows Network>