Advise to setting up the admin account for OTP 2FA in conjunction with Rohos and remote access

We would like to share some advice regarding two-factor authentication and its use with an admin account when logging into Windows RDP. If it is not enabled currently we would strongly advise setting up the admin account for additional OTP authentication in conjunction with Remote Desktop access and Rohos Logon Key. Let’s review the pros and possible side effects.

Of course, it is highly recommended to use 2FA for the admin account, and it is definitely recommended rather than keeping it 1FA only. Just to remind you that default RDP login based on NLA credentials (user login and password in plain form store in .rdp connection file) from the client-side is quite vulnerable now since these credentials may be stolen and used by malware operators in an automated way – so the attack speed will be just 5-10 minutes.  So today, the absence of additional authentication factors (2FA/MFA) is considered negligent. Even more, due to recent development in exploits and malware for Windows operating system, desktop sessions created by regular user accounts also may be elevated to Admin Privileges in Domain or Active Directory (AD) with a high success rate depending on your defense type (Anti-virus type, EDR solutions, etc). So a variety of exploits for horizontal/lateral movement in AD are huge also.  But of course, Admin’s accounts are always a special target for cyber-criminals and traded as a high-price asset on the darknet. 
To summarise, definitely you need to start your cyber-security efforts in 2FA from some point, and admin accounts are the right starting point, highlighting you have a cyber-security strategy.  Especially with Rohos, since it is very easy to start with and has a fixed one-time price. 

Regards to any side-effects of Rohos Logon 2FA. First, there is an “emergency logon” feature that helps to prevent accidental lock-out in case you lost your 2FA method (it may happen btw due to change of login habits). Rohos also has “2FA rules” that allow starting 2FA implementation by stages or user groups. Second, Rohos allows the introduction of new authentication methods in parallel or by user groups, depending on competence, budget, or platform requirements. We know that increasing security efforts requires time and adaptation by personal and technical resources. Combing these options with security awareness training with different user groups within the organization will be a good driver for cyber-security efforts to increase it in alignment with IT department maturity growth.  And fixed, lifetime-pricing model of Rohos, allows focusing on cyber-defense rather than on budget logistics.

Recently we have added a new experimental feature that allows control over 2FA bypass or RDP session hijacking. It allows enriching cyber-security tactics by implementing certain “incident response” activities in regard to access controls. An immediate push notification will be delivered to the smartphone of the responsible person, and the session will be locked in case if Rohos detects the absence of 2FA means usage. In addition, Rohos access log file (access_log.txt) may be used as an additional event source in your SIEM system for this kind of event.

About Rohos Logon Key

Rohos Logon Key adds strong two-factor authentication control for Windows Remote Desktop access. Rohos allows to implement and adopt multi-factor authentication into business process with minimal side effects. You may combine different authentication methods: password, PIN code, Smartphone or strong authentication devices like FIDO U2F key, YubiKey, Google Authenticator One-Time password codes, SafeNet iKey tokens or RFID cards per different user groups depending on requirements or technical skills. With Rohos you can protect standalone computers, Active Directory workstations or Terminal Servers that work over RDP or other remote assistance solutions like TeamViewer or AnyDesk.

Download and try latest Rohos Logon Key v.4.8 (15-day trial) >>

Get your copy of Rohos Logon Key> (Server license is required to protect RDP access on Windows Server)

View complete list of supported methods for Windows logon> 

P2P encryption ownership in secure online storage products (, OneDrive)

Briefly: Secure storage services such as, OneDrive Vault, offers P2P encrypted cloud storage, where the data are being encrypted/ decrypted in your web browser or computer. This provides the highest privacy level since data delivered to the cloud storage in encrypted form. Does it really mean, the information cannot be accessed by the Vendor? Here we show, how the vendor completely owns encryption protocol and data flows, even in your web browser. We also demonstrate why total ownership gives vendors the tools for user targeting that may be used to de-private your data. An example with Rohos Disk cloud folder encryption demonstrates the difference.

Read more

2FA Push tokens in Rohos Logon Key mobile

We are glad to announce new MFA Push Tokens support to “Smartphone” authentication method available in Rohos Logon Key v.4.2.  The Rohos Logon Mobile app will deliver two-factor push notifications to workstation or remote desktop server for fast and secure access. A single smartphone can keep multiple authentication records to access multiple computers.

Rohos 2FA Push token advantages:

  • Out-of-band Multi-factor authentication. 2FA Push token is delivered via Web Socket method that employs alternative Internet connection from mobile device.
  • Your account on Google, Amazon, Azure cloud can be used to host Messaging Broker or you can use a variety ready-to-go MQTT SaaS solutions like:,
  • 2FA Push token includes strong Encryption AES256 and OATH technology thus it is resilient against man-in-the-middle and reply attacks event on non-SSL\TLS channels.
  • Rohos 2FA Push token implementation is open-source.

Read more

How to protect Amazon WorkSpaces Windows with MFA in Rohos Logon Key v.3.9

New Rohos Logon Key provides an effective and platform independent means of Multi-factor Authentication for your Amazon WorkSpaces desktops. You can protect access to AWS Windows desktops with Google Authentication OTP codes or Yubikey OTP codes. This greatly increase security, brings compliance with HIPPA, PCI-DSS or works as a password replacement technology.

Read more

How to block Skype and encrypt Skype profile folder

Today Skype offers cool features like chatting, file sharing, video calls, and even calls to landlines.  However, your instant message history, contacts list, phone numbers, etc, are stored in plain form. Anyone who is using your PC could read this information with a special tool. Also, children are exposed to on-line dangers such as bullying, viruses, and obscene material.

Here is the solution on how to lock your Skype application from kids and encrypt your Skype profile folder with your IM history and other private data. This solution is also applied for such applications as Google Chrome, Mozilla Firefox, and Opera.

So why do you need to lock Skype Application?

Your Skype profile contains a lot of confidential data like the contact list, IM-history, calls history, etc. This data is not encrypted by default. It means anyone who uses your PC can use this information easily.  If you have one computer to use for all 5 members of your family or live with a roommate then you’d probably like to have a higher level of privacy for your Skype chat logs, received files, and many others.

Here is the list of private data stored in skype profile in a plain form:


Your kids are one of those from whom you’d want to “hide” Skype.

Why you must lock Skype from kids?

With over 200 million Skype users worldwide, it remains a cheap, cost-effective alternative to expensive international calls.  Statistics show a considerable percentage of Skype users are 14 years of age and older.

Kids are mainly using Skype to:

  • Stay in touch with family and close friends
  • Catch up with friends outside their local calling zones
  • Connect with other students or classrooms across the country or globe through video conferencing
  • Connect to a virtual classroom or webinar for distant learning

The dangers of using Skype by Kids

Like any online community, some Skype users engage in inappropriate behaviors. Young people may be exposed to material that may be sexual, hateful, violent, or illegal. Viruses and malware: File sharing in peer-to-peer networks like Skype is a popular channel for the spread of malware (e.g., worms, viruses, Trojans).  Malicious software may be embedded in file attachments sent through email or chats to damage a computer or collect personal data like credit card information and passwords.

Your kid might not even be aware of these dangers. So it’s your responsibility to protect your kid. But doing something is far better than nothing, and you have to start somewhere.

Some may say – “Well, do not let your kid use Skype.” Easier said than done. Nowadays kids are very tech-keen thus it would be a piece of cake for your kid to download the application and create an account. But what if you close/block access to the application completely!?

Rohos Mini Drive, a free encryption utility now gives its users an opportunity to block Skype and encrypt its contents, so no one can open it and use it.

There are also those who want to keep their Skype data confidential so roommates or employers do not have access to it. Understandable when it comes to roommate but not legible when we talk about using Skype on the office computer and depriving your boss of the right to look through chat logs for security purposes. On the other hand, when the CEO of a company is holding a video conference or sending files it’s here that Skype’s history and chat logs are highly vulnerable. Thus, password protecting and encrypting Skype is especially useful in corporate and business communications.

The chat log, call log and almost all data that Skype puts on your hard disk are not encrypted. Rohos Mini Drive gives you one of the best solutions to password protect and encrypt Skype using its feature “Hide folder“.

How to encrypt the Skype profile folder


  • Installed Rohos Mini Drive (freeware) or Rohos Disk Encryption (shareware).
  • Created virtual encrypted disk.
  • At least 100 Mb free space on the virtual encrypted disk.
  • Skype application should be closed.

Step by step:

  1. Open Rohos Disk Encryption application.
  2. Connect encrypted Rohos disk.

Once Rohos disk is connected you should click on the Encrypt Application link

In Encrypt Application dialog select Skype and Rohos will automatically display your Skype profile path.

  1. Click Encrypt Application button.
    From now on Skype profile folder will be physically moved into an encrypted Rohos disk. Then it will be replaced with a shortcut. This will allow the Skype application to work as before.

Please each Windows User Account has its own Skype profile folder. If you wish to lock the Skype application from Kids you need to “Hide Skype Profile” under each user account in Windows dedicated for Kids login.

How to lock/unlock your Skype profile

Now you can start Skype and make sure everything works well:

  • Without Rohos encrypted disk being connected the Sign-in window pops up blank (when the disk is on, the same window appears with the Skype name that was used the last)
  • You can start Skype but without first typing in the correct password for encrypted Rohos drive it will not be accessible

With Rohos Mini Drive, your recently in-transit and all stored data are encrypted and password protected. So now you may have some nice little privacy at your computer and not worry about SECRECY.

To unlock access to Skype just connect your Rohos encrypted partition and work as usual.

Skype autorun issue

Most users set Skype to auto-start on Windows start. You need to change this setting in order to comply with a new security rule:

  • Disable Skype autostart and start Skype only after you connected the virtual encrypted disk.
  • Or set up a USB Key for Rohos Disk that will connect Rohos disk immediately as you connected the USB Key. If you connect the USB Key during your Windows login Rohos Disk will be ON as you log in. And Skype will autostart successfully.

In case Skype started when Rohos virtual disk is OFF, you need to :

  1. Close Skype by using the Skype menu near the system clock.
  2. Connect Rohos Disk by using a Rohos menu near the system clock or a roots’ disk shortcut on the desktop.
  3. Open Skype again.

Security benefits for your Skype:

  • Your chat logs and instant message history are encrypted.
  • Skype contacts list is encrypted
  • Files that you have received via Skype are encrypted also.
  • Nobody can access your Skype database files with any 3rd party tool.
  • Your Kid will not be able to start the Skype application under your user account.

Rohos Disk Encryption offers security solutions to:

  • Keep all of your private files (movies, music, credit card info) on Rohos encrypted drive;
  • protect with a password any Application folder within C:\Program Files\folder;
  • Keep Opera, Firefox, Chrome browser locked and encrypted when you are away from PC;
  • Have a single USB key (USB flash drive) to access your secure virtual drive, so you don’t need to remember your password of the Rohos disk.

Beware that private data is always meat for outside hunters, so try to keep it as inaccessible as possible. If you wish to improve your Skype profile security, Rohos Mini Drive comes in handy in this situation.

Download and install Rohos Mini Drive (freeware) or Rohos Disk Encryption (30-day trial shareware)

(Soon) Introducing file encryption in new Rohos Disk

We are working to add file encryption feature to Rohos Mini Drive and Rohos Disk Encryption products. This will allow to encrypt separate folders and files stored on a computer. It is designed specially for those who really concerned about data security of confidential information stored in Google Drive or Dropbox. Since both file data and file name are stored on a computer in encrypted form, the application like Google Drive will upload already encrypted content into cloud storage.


Read more

Two-factor authentication by OTP for TSPlus remote desktop access

We have tried out Terminal Services Plus (TSPlus) solution for Remote Desktop access for Windows 7/8/10 with Rohos Logon Key installed. Both TSPlus web based access and MS Remote Desktop Connection application uses target Windows authentication system. This is the point where Rohos Logon Key applies 2-factor authentication control. The following screenshot demonstrates 2FA requirement upon successful password based remote access with  TSPlus web :

Learn more about Rohos Logon Key benefits with TSPlus remote desktop solution.

Read more

Two-factor authentication in TeamViewer through Google Authenticator

tv_GA_r1TeamViewer, one of the most popular remote access programs, does not offer a built-in system for two-factor authentication. When TeamViewer is launched, it generates a short password and receives from the server a short number for full access to the current computer. How dangerous is this? Is there a possibility that someone could connect to a corporate computer again when no one is present?

Rohos Logon Key offers a way to protect TeamViewer sessions using an additional one-time password, thereby implementing two-factor authentication with a TeamViewer password as well as a one-time Google Authenticator password.

Advantages of protecting your system with two-factor authentication:

  • Uses a one-time password that can only be used once;
  • An unused one-time password will expire and become invalid after 5 minutes;
  • No need to provide the remote party your Windows user account password;
  • When a new TeamViewer session is started, Rohos Logon Key automatically locks the desktop to ask for two-factor authentication (experimental feature of the beta version);
  • Two-factor authentication can be used only for TeamViewer sessions (experimental)
    Read more

Registering multiple 2FA users with Google Authenticator configuration delivered by Email

Rohos Management Tools provides a secure way to setup multiple users or authentication devices. Now it is easy to setup a list users with Google Authenticator 2FA. It is also possible to automatically send an email message to each user that includes Google Authentication setup instructions. The most secure way is to use corporate email.

New ways to register multiple user or 2FA tokens: by using CSV file or PowerShell script.


Read more

How to setup 2-factor authentication with One-Time-Passwords delivered by Email

Rohos Logon Key allows to protect Windows Terminal Server by using 2-factor authentication with One-Time-Passwords. Using Google authenticator as OTP generator requires to deliver and store OTP secret key on the mobile device of end-user in mobile email, SMS or Google Authenticator application.

In order to improve security you can setup your Windows Server to generate and deliver One-Time-Password to the end-user by using SMS messages or Email which is also reliable and free. With this feature there is no need to send OTP secret key and setup Google Authenticator on mobile device of end user.
Read more