We are glad to announce Rohos Logon Key 4.8 with automated control over ‘2FA bypass scenarios’. New experimental feature allows to get an immediate push notification on the smartphone when 2FA procedure was avoided during login/unlock or reconnect to console or remote sessions. Because of well-known system vulnerabilities that allow RDP session hijacking, never-ending stories with 0-day exploits in RDP protocol or authentication system, unattended remote tools like TeamViewer or 2FA credentials theft during fishing or social engineering – all these lead to unpredictable threat models and risks.
Rohos Logon commits experimental innovation to address these issues. Currently, Rohos Logon Key app uses three simple rules to trigger push notifications in case of 2FA bypass. This allows defining response and mitigation in case of unknown vulnerabilities of the authentication procedures. The experimental approach works well for standalone Terminal Servers, AD farms, cloud servers in AWS or Azure, workstations or personal laptops as well. In the future, we plan to add more rules and response actions that allow mitigating authentication vulnerabilities of Windows system, Rohos or human factor. Rohos Logon Key is the only 2FA application in the world that offers self-control loopback from 2FA login prompt till session desktop. Read more about how it works.
Whats new in Rohos Logon Key 4.8:
- Experimental ‘2FA bypass’ control
- Minor improvements
2FA bypass controll – how it works
When the option is enabled Rohos Logon uses three rules to detect a bypass of 2FA procedure , during any session login, unlock or reconnect, in console or remote desktop:
- For any user login performed without using 2FA credentials by using Rohos Logon Key control (i.e. Rohos login form).
- For user account that has a configured 2FA method/device – but login is performed without using 2FA credentials by using Rohos Logon Key control.
- For any user account where the session is unlocked or reconnected without using Rohos Logon Key control (session hijacking or Rohos being deactivated for some reason)
The rules are constantly being verified by additional independent module by inspecting all desktop sessions. When the rule match happens, Rohos app call push URL API and you receive an immediate push notification on a smartphone, with information about Time, Server name, IP, and user account name.
How to setup 2FA bypass notification
- Install and Update over exising Rohos Logon (minor update is free). After you setup 2FA method/devices you need to check option “Control 2FA bypass… “
2. Click More.. and enter your Push token URL , currently Rohos Logon support Pushover push service.
This requires you to register at Pushover service and install Pushover app on your Andorid/iOS smartphone. Then you collect your push service URL from the dashboard and set it into Rohos field.
The URL should looks like the followgin example:
where “user” value is taken from the pushover dashboard. “device” is your smartphone name where Pushover app is installed for your account. The service is free for up to 10000 notifications per months. “Token” value represents RohosLogon Key app but you also may create your own app in the dashboard and substitute token.
In order to test rule #2 you need to login into user account protected with 2FA device, by using Emergency Logon.
In order to test rule #1 you need to change “USB_Key_bypass_control” value to “7” (at HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Rohos) and then login into ANY user account by using Windows password only.
In order to test rule #3 you need to login into user account protected with 2FA device, and then after 5 minutes, connect to the session by using TeamViewer, AnyDesk or alternative app.
About Rohos Logon Key
Rohos Logon Key adds strong two-factor authentication control for Windows login. Rohos allows implementing multi-factor authentication decision solution, where you can combine different authentication devices: password, PIN code, Smartphone or strong authentication devices like U2F key, YubiKey, Google Authenticator One-Time password codes, SafeNet iKey tokens or RFID cards. With Rohos you can protect standalone computers, Active Directory workstations or Terminal Servers that work over RDP or other remote assistance solutions like TeamViewer or AnyDesk.