How to setup 2-factor authentication with One-Time-Passwords delivered by Email
Rohos Logon Key allows to protect Windows Terminal Server by using 2-factor authentication with One-Time-Passwords. Using Google authenticator as OTP generator requires to deliver and store OTP secret key on the mobile device of end-user in mobile email, SMS or Google Authenticator application.
In order to improve security you can setup your Server to generate and deliver One-Time-Password to the end-user by using SMS messages or Email which is reliable and free. With this feature there is no need to send OTP secret key and setup Google Authenticator on mobile device of end user.
How to setup OTP delivery by Email
To setup Rohos Logon Key on Windows Terminal Server read here>
- PowerShell v.3 and higher with ActiveDirectory module;
- Script execution policy is enabled;
In order to enable it run “Set-ExecutionPolicy -ExecutionPolicy RemoteSigned” command in PowerShell console.
- User accounts has a valid e-mail in account General properties
- Open options and ensure you have OtpDeliveryScript.ps1 in Delivery script option:
Click Edit to open OtpDeliveryScript.ps1 file and edit Email options such as smtp server, email and password credentials for the mailbox that will be used to send emails:
- $NotifyByEmail = $true
Save script and click Test delivery. You can also edit and debug OtpDeliveryScript.ps1 in PowerShell ISE in order to customize Subject and Email body and then ensure that script is running well.
Setting up user account with 2FA by OTP
- Open Rohos Logon Key > Setup Authentication Key
- Choose user account
- Choose “By Email or SMS” and enter “email” into edit field.
(On actual authentication case – Rohos get user e-mail from account properties)
- Click Enable OTP login
Dont forget to setup 2FA policy by setting one of options under “Allows to login by using the Key”.
Read more about using Rohos Logon Key on Windows Terminal Server – read here>