MFA (2FA) to Standalone Windows Pro Local Account via Remote Desktop (RDP)

Last Modified: Sun, 19 Mar 2023 14:04:01 +0000 ; Created: Sun, 19 Mar 2023 14:04:01 +0000

I wanted to RDP into a target Windows 11 Professional standalone (not domain connected) system using my Yubikey USB security key. Windows Hello supports using FIDO2 keys, but not over RDP (that required Windows Hello for Business).

I also considered using the PIV smartcard feature, but most solutions required a domain-joined device with a CA and AD. One free solution I did find for non-domain machines with local user accounts (EIDAuthenticate) only worked on the Home edition and not Professional edition of Windows.

There was a Rohos product for $32 that offered a solution to use a multide of options for login, but I was looking for something open source and free.

I came across mutliOTP. It has a commercial license component if you want a GUI, but the command-line edition is open source and free. I settled for using the Yubico OTP method.

Because this was a standalone setup with no authentication server for one single Windows PC I had to generate a new Yubico OTP in slot 2. Warning! If you reprogram your slot 1 you will lose the factory cc-prefixed OTP attached to the YubiCloud. I used slot 2 to avoid this, but you could re-upload your new key if you need to use it elsewhere.

The Yubikey Personalization Tool was useful for capturing the csv log containing the OTP secret/seed needed for import into multiOTP.

  1. The OTP shared secret to import into multiOTP
  2. Existing local (in theory a domain account could work) Windows account
  3. The USB (or authenticator application) to use (these directions assume a yubikey, but you can generate a QR code for authenticator apps too)
  4. Administrator access to install multiOTP
  5. https://download.multiotp.net/credential-provider/

multiOTP install steps:

  1. Install both the 32-bit and 64-bit MSVC++ redistribuables (64-bit was already there, but 32-bit was required for installer to work)
  2. Run multiOTPCredentialProviderInstaller.msi
  3. Leave "URL of your multiOTP server(s)" blank
  4. Check the "No remote serverr, local multiOTP only
  5. Choose your Logon and Unlock options (you can leave CredUI as None)
  6. Open a cmd (or Terminal) as Administrator
  7. cd c:\Program Files (x86)\multiOTP
  8. .\multiotp.exe -fastcreatenopin YOURUSERNAMEHERE
  9. .\multiotp.exe -import-yubikey C:\Users\YOURUSERNAMEHERE\Downloads\YUBILOG_WITH_SECRET.csv
  10. .\multiotp.exe -assign-token YOURUSERNAMEHERE jteunabcaaai
    • Provide your public ID for your Yubico OTP
  11. .\multiotp.exe -userlist

Now you should be prompted for the username, password, and then the multiOTP code when you try to login.

You can exclude a user from MFA by updating the registry configuration at HKEY_CLASSES_ROOT\CLSID\{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978} in excluded_account

If you find that a remote desktop client is not remembering the username + password (you want to only have to provide the unique OTP each connect) then try:

cmdkey /generic:TERMSRV/* /user:YOURUSERNAMEHERE /pass:YOURPASSWORDHERE

cmdkey /list