Last Modified: Sun, 19 Mar 2023 14:04:01 +0000 ; Created: Sun, 19 Mar 2023 14:04:01 +0000
I wanted to RDP into a target Windows 11 Professional standalone (not domain connected) system using my Yubikey USB security key. Windows Hello supports using FIDO2 keys, but not over RDP (that required Windows Hello for Business). I also considered using the PIV smartcard feature, but most solutions required a domain-joined device with a CA and AD. One free solution I did find for non-domain machines with local user accounts (EIDAuthenticate) only worked on the Home edition and not Professional edition of Windows. There was a Rohos product for $32 that offered a solution to use a multide of options for login, but I was looking for something open source and free. I came across mutliOTP. It has a commercial license component if you want a GUI, but the command-line edition is open source and free. I settled for using the Yubico OTP method. Because this was a standalone setup with no authentication server for one single Windows PC I had to generate a new Yubico OTP in slot 2. Warning! If you reprogram your slot 1 you will lose the factory cc-prefixed OTP attached to the YubiCloud. I used slot 2 to avoid this, but you could re-upload your new key if you need to use it elsewhere. The Yubikey Personalization Tool was useful for capturing the csv log containing the OTP secret/seed needed for import into multiOTP.
multiOTP install steps:
Now you should be prompted for the username, password, and then the multiOTP code when you try to login. You can exclude a user from MFA by updating the registry configuration at HKEY_CLASSES_ROOT\CLSID\{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978} in excluded_account If you find that a remote desktop client is not remembering the username + password (you want to only have to provide the unique OTP each connect) then try: cmdkey /generic:TERMSRV/* /user:YOURUSERNAMEHERE /pass:YOURPASSWORDHERE cmdkey /list |
|