Rohos Logon Key provides secure 2-factor authentication for Windows Remote Desktop by using Mobile Phone or One-Time-Password tokens.

2-factor authentication variety:

  • By using a smartphone with Google Authenticator application;
  • When One-Time-Password is delivered to any mobile phone by SMS or Email;
  • Allows to integrate 3rd party OTP code delivery service or devices like GSM modems;
  • By using a hardware OTP generator like Yubikey/SecureID/SafeNet/Feitian;
  • Each user account can be configured with any type of 2-factor authentication means;

The benefits of 2-factor authentication for Remote Desktop:

  • User must provide new OTP code each time for login;
  • Each generated OTP code is unique and cannot be duplicated by user;
  • Allows to restrict Remote Desktop access by user list or user group;
  • You dont need to install Rohos on a client PC/device you log in from;
  • 2-factor authentication applied by the List of users / Active Directory group membership / IP address filter;
  • Review and include 2FA audit log into any existing SIEM;

Rohos Logon Key allows to access Windows Remote Desktop in a secure way by using the popular and secure One-Time-Password authentication technology replacing weak password based login.

How it works

Rohos Logon Key integrates or replaces Windows Terminal Services authentication provider. It works by adding two-factor authentication level to existing authentication infrastructure. After deployment users can log into remote session only by using 2-factor authentication: OTP code and regular login data.

Rohos Logon Key message requiring 2-factor authentication :



User entering OTP code to continue login into Remote Desktop :


Read next to find out how to configure it.

Installing Rohos Logon Key on Terminal Server

1. Install Rohos Logon Key on the Windows 2008/2012 Terminal Server :

Download 15-day trial Rohos Logon Key.

2. Enable 2-factor authentication by using One-Time-Passwords. Open Options and select “Google Authenticator (OATH) ” as the active 2-FA authentication means:


3. Choose a 2-factor authentication policy:

  • For a listed users
    Only configured users will be required to use 2-factor authentication for login. Any other users will be able to login by a password as usually. The user list is created automatically by “Setup a Key” dialog box. To review the list open “Users and Key” dialog box.
  • For 2FA user group in Active Directory
    Each user from a special designated user AD group (default name is ‘Rohos’) will be forced to pass 2-factor authentication during Remote Desktop login.
    Please note: ‘rohos’ user group should be created by an Active Directory Administrator ;
  • For Remote Desktop login
    All Remote Desktop sessions will be required to pass 2-factor authentication;
  • For Remote desktop users
    Only users, who came through the dial-up, DSL connection, and from other networks, will be required to pass 2-factor authentication.
  • For Remote desktop users from 2FA AD group
    Only users, who came through outside networks and belongs to 2FA group will be required to pass 2-factor authentication.

You should have Windows 2008 R2/ 2012 / 2016 Server as your Terminal Server computer to try it.

4. Setup Emergency Login
In order to prevent Terminal Server login lockout due to 2-factor authentication policy we recommend to setup Emergency Login option. This will allows Administrator to login into Terminal Server console/remote desktop by using: UserName, Q&A entry and password. Emergency Login does not require 2-factor authentication. Emergency Login is not required if you have Server Console access possibility.

to top

How to setup a user account for 2-factor authentication

2-factor authentication is applied individually for each user account. Automated setup is possible only by using “OTP delivery by SMS” option.

In order to setup a 2-factor authentication for a user account open Rohos Logon Key > Setup a Key:


  1. Select user account;
  2. Choose the type of One-Time-Password generator user will use;
  3. Leave password field blank
  4. Click “Enable OTP login” to apply configuration.

Click “Display QR-Code” and “Copy code” to configure Google Authenticator or send Google Authenticator configuration by email to the user.

When using “OTP by Email/SMS” option:
– Enter mobile phone or ensure there is a mobile phone field in AD User Account properties is filled in.
– Or enter user email;
– Ensure to properly setup OTP delivery method in Rohos Logon > Options > Google Authenticator options.


to top

How to register multiple users with Google Authenticator

Rohos Management Tools provides a secure, transparent and customizable way to setup multiple users with Google Authenticator 2FA and deliver 2FA configuration by email or SMS.

Rohos Management Tools allows to :
– Configure a group of users with Google Authenticator 2FA;
– Deliver Google Authenticator configuration to the user by Email;
– Setup a custom delivery method like SMS / Text File / Web server publishing.
– Resend or Delete 2FA Configuration for the already registered 2FA users.

Learn More…


to top

Enabling automated 2-factor authentication by SMS / Email

Rohos Logon Key allows to use automated 2-factor authentication for Remote Desktop users. Rohos will automatically sent One-Time-Password code by SMS to user account telephone number or email during login into Remote Desktop.

Your Terminal Server must meet the following requirement:

  • Telephone/mobile number field contains user mobile number of the user; Or Email field is filled in;
  • Rohos Logon Key is configured with SMS-gateway support or Email credentials;

Setting up SMS-gateway or another OTP-delivery method


  1. PowerShell v.3 and higher (Windows 2012 R2 and higher has it by default);
  2. Script execution policy is enabled;
    In order to enable it run “Set-ExecutionPolicy -ExecutionPolicy RemoteSigned” command in PowerShell. You need to run both PowerShell and PowerShell (x86) as Admin and execute this command; See the screenshot.

Open Rohos Logon Key > Options > Google Authenticator option.

  1. Click Edit to open OtpDeliveryScript.ps1 file and edit Email options such as smtp server, email and password credentials for the mailbox that will be used to send emails:

To setup SMS delivery:

Find string:

$SmsGatewayUrl = “$($AdUserName.telephoneNumber)&text=$($SmsNotificationText)”

And customize URL so that it should be your SMS provider HTTP API url;
Both $($AdUserName.telephoneNumber) and $($AdUserName.telephoneNumber) are script variables and you should not touch them;


You may select user from Left or enter Email/Phone and click “test delivery” button to sent OTP code by using configured delivery method.

Learn More about setting up a delivery method>

Remote Desktop login with SMS authentication enabled:



to top

How to disable or reset 2-factor authentication

There are few ways to disable or reset 2-factor authentication for entire Server or selected User account.

To disable 2-factor authentication policy:

  • Uninstalling Rohos Logon Key will restore default password based or pass-thought authentication.
  • Setting to “none” option of “Allows to login by USB key” will temporarily disable 2-factor authentication requirement for all users.

To reset/change or disable 2-factor authentication for a user account:

  1. Removing user account from Rohos AD group may disable 2-factor authentication requirement for the user (just in case of policy “require 2-FA for Rohos group”)
  2. Open Rohos > Setup a Key dialog box > choose user account > and click disable OTP login. This will reset 2-FA configuration for the user. OTP generator used by the user (Google Authenticator, Yubikey) will became invalid.
  3. Open Rohos > User and Keys dialog box > find user and delete it from the list. This will disable 2-factor authentication requirement for the user (just in case of policy “require 2-FA for the List of users”)


to top

Enabling 2-FA by using client IP filter

Rohos Logon Key experimental feature allows to filter Remote Desktop connections by client IP address and require 2-FA by IP mask.

How to try 2-FA for Remote Desktop by using IP filter:

  1. In a Remote Desktop session open Rohos Logon Key > Options.
  2. Set option “Allow to login only by USB Key” to “For Remote Desktop users outside LAN”.
  3. By clicking on [?] you can check if Rohos was able to identify your client WAN IP address.
  4. Specify “LAN IP Filter:” , this should be a prefix of your local LAN. By using this prefix Rohos will be able to differentiate between LAN and WAN connections, and require 2-factor authentication for client with WAN IP.



Licensing Rohos Logon Key

  • Rohos Logon Key Server license is required for each Terminal Server host with Rohos Logon Key; Allows to protect unlimited users and have unlimited authentication keys;
  • Rohos Logon Key Small Server license allows to protect up to 15 users;

Please note authentication by SMS requires 3rd party SMS gateway service that is not included into Rohos Logon Key.

to top