How to setup 2-factor authentication with One-Time-Passwords delivered by Email

Rohos Logon Key allows protecting Windows Terminal Server by using 2-factor authentication with One-Time-Passwords. Using Google authenticator as an OTP generator requires delivering and store the OTP secret key on the mobile device of the end-user in mobile email, SMS or Google Authenticator application.

In order to improve security, you can set up your Server to generate and deliver One-Time-Password to the end-user by using SMS messages or Email which is reliable and free. With this feature, there is no need to send an OTP secret key and setup Google Authenticator on the mobile device of the end-user.

How to set up OTP delivery by Email

To set up Rohos Logon Key on Windows Terminal Server read here>

Requirements:

  1. PowerShell v.3 and higher with the ActiveDirectory module;
  2. The script execution policy is enabled;
    In order to enable it run “Set-ExecutionPolicy -ExecutionPolicy RemoteSigned” command in PowerShell console.
  3. User accounts have a valid e-mail in account General properties

 

  1. Open options and ensure you have OtpDeliveryScript.ps1 in Delivery script option:

Click Edit to open OtpDeliveryScript.ps1 file and edit email options such as SMTP server, email and password credentials for the mailbox that will be used to send emails:

  • $NotifyByEmail = $true
  • $SmtpServer
  • $SmtpPort
  • $SmtpLogin
  • $SmtpPassword
  • $EmailFrom
  • $Subject
  • $EmailNotificationText

Save the script and click Test delivery.  You can also edit and debug OtpDeliveryScript.ps1 in PowerShell ISE in order to customize the Subject and Email body and then ensure that script is running well.

 

Setting up a user account with 2FA by OTP

  • Open Rohos Logon Key > Setup Authentication Key
  • Choose user account
  • Choose “By Email or SMS” and enter “email” into the edit field.
    (On actual authentication case – Rohos get user e-mail from account properties)
  • Click Enable OTP login
    Done!

 

Don’t forget to set up the 2FA policy by setting one of the options under “Allows logging in by using the Key”.

Read more about using Rohos Logon Key on Windows Terminal Server – read here >