Two-factor authentication in TeamViewer through Google Authenticator
TeamViewer, one of the most popular remote access programs, does not offer a built-in system for two-factor authentication. When TeamViewer is launched, it generates a short password and receives from the server a short number for full access to the current computer. How dangerous is this? Is there a possibility that someone could connect to a corporate computer again when no one is present?
Rohos Logon Key offers a way to protect TeamViewer sessions using an additional one-time password, thereby implementing two-factor authentication with a TeamViewer password as well as a one-time Google Authenticator password.
Advantages of protecting your system with two-factor authentication:
- Uses a one-time password that can only be used once;
- An unused one-time password will expire and become invalid after 5 minutes;
- No need to provide the remote party your Windows user account password;
- When a new TeamViewer session is started, Rohos Logon Key automatically locks the desktop to ask for two-factor authentication (experimental feature of the beta version);
- Two-factor authentication can be used only for TeamViewer sessions (experimental)
After installing TeamViewer, your computer will be assigned a unique ID and password by which a remote expert can connect to your computer and perform actions on it just like working on his/her own computer. But what happens later, when the expert’s working session ends? Could it be possible for that person or someone else to connect to your computer again using the same details that you provided earlier? There is also the risk that a remote expert could be the victim of a hack, and the expert’s access details could be stolen.
A lot depends on how your computer works. If you regularly turn it off or log out of the current Windows user account, you are protected to a greater degree than if you leave your computer turned on or put it to sleep by simply closing the laptop lid. This is because your computer’s TeamViewer ID remains forever the same, but the password changes every time a new Windows session begins. Thus, if you leave your computer turned on, then a person who has your ID and password can connect to your computer at any time.
Therefore, rule number one of TeamViewer security is to restart your computer after the remote expert has finished working. If this rule cannot be put into practice, for example because the computer acts as a server or some programs have to run on it continuously, then at least lock the computer. Then, to unlock it a malicious actor would have to know your Windows password, but you did not give it to anyone.
This leads to rule number two: you shouldn’t give your Windows user account password to anyone, even a remote expert working over TeamViewer. If an expert needs your password for something, he can ask you to enter it yourself in a Windows dialog window. But be careful and make sure the window you are entering your password into is the right one.
Let’s suppose you work in a common area with other people and you should limit access to your computer when you are away from it, but without turning it off. If you see that a remote expert is no longer working on your computer and you have to step away from it, just lock the computer. Type the keyboard combination Win+L.
A remote expert could also block the computer over TeamViewer, for example if the expert has to take a break from working. When the expert resumes working, he/she will have to call you to unlock the computer. But what if you aren’t at the computer? Could something be done to provide the expert the ability to unblock the computer even if you aren’t next to it, and without having to provide your password?
This is why we recommend using Rohos Logon Key with a one-time password (OTP) instead of your Windows password. In order to unlock your computer, the remote expert can call you and ask for an OTP.
What advantages does a one-time password offer over an ordinary password?
- A one-time password (OTP) consists of six numbers, easy to remember in the short-term and communicate to another person by telephone or text message.
- The OTP changes every 30 seconds. To make things more convenient for our users, we have extended the time over which you can use the password on the computer to a 2-minute period.
- A one-time password can only be used once, therefore there is no point in writing it down or memorizing it for the long-term. For this reason, it cannot be stolen and later used to break into your computer.
- A one-time password can be obtained using Google Authenticator, which is installable on Android or iPhone smartphones. This way, you’ll always have a password generator with you.
- On the computer, the Rohos Logon Key program also has an OTP generator and it is synced with your smartphone using a unique key. For both of these generators to work, on the smartphone and on your computer, you do not necessarily need an internet connection.
What does this give you?
The convenience of using an OTP is clear. Instead of entering a long and complicated password, you can open your smartphone and read a 6-digit numerical code, which is just as strong as a longer alphanumeric password because it changes every 30 seconds.
For the remote expert, too, this is convenient. Instead of remembering your long password, the expert can just enter the 6-digit code that you communicate by telephone. The expert will be unable to create a new code in Rohos Logon key because he/she does not know your Windows password.
The new version of Rohos Logon Key now offers the ability to lock the computer over a TeamViewer connection. Then, no one will be able to connect to your computer unnoticed. Of course, this feature is optional, but we recommend using it for greater security.
How is access with a one-time password set up in TeamViewer?
Install Rohos Logon key and enter its options. Specify Google Authenticator OTP in the first list.
Click OK and run Setup Authentication key. Specify if necessary the user you need, enter the password, and click on Display QR code.
A browser window with the QR-code will open. Scan it with Google Authenticator installed on your smartphone. After doing this, Google Authenticator will show a 6-digit code that changes every 30 seconds.
You will have 2 minutes to enter this code in the Windows login window; after that amount of time passes, it will no longer be valid for login.