MS Windows OTP Provider
SecureMFA WIN Authentication Provider supports Windows x64 platforms only. Servers OS minimal version must be Windows 2016 and Client OS minimal version must be Windows 10.
TOTP code validation for 24 user accounts.
TOTP API message decryption with default AES 256-bit encryption key.
Header authentication against API endpoint.
API response message protection against replay or tampering.
Licensed version (additional features)
TOTP code validation for unlimited user accounts
TOTP API message decryption with custom AES 256-bit encryption key.
TOTP Offline authentication.
TOTP account lockout feature.
Deploy SecureMfa WIN OTP Provider on Windows OS
A Self-service password reset portal (SSPR) installed on a windows server with API Interface enabled. Portal deployment information can be found under MFA-SSPR Section.
Windows server 2016 / 2019 or Windows 10 x64 for MFA provider installation
NOTE: For security reasons end user devices with “WIN OTP Provider” installed doesn’t allow to enrol user for TOTP account. Please check "OTP Account Creation for Users" section for more details.
Before you can start using MFA authentication on Windows OS you must deploy “SecureMfa WIN OTP Provider” on Windows device. All commands must be executed in elevated PowerShell (PS) command prompt.
1) Deploy latest “SecureMfa_WIN_OTP” PowerShell module from Microsoft PSGallery using bellow PS command:
NOTE: If your server/workstation doesn’t have access to the Internet you can pull PowerShell module from Windows client which has Internet access using bellow PS command:
As alternative you can download “SecureMFA_WIN_OTP” nupkg file manually from https://www.powershellgallery.com/ website. Rename nupkg file’s extension into ZIP. Unzip content into a folder “SecureMFA_WIN_OTP” and place it into PS Modules default location on the server. That will work the same way as pulling package with native windows PS Tools.
2) Before authentication provider will be invoked by Windows, it must be registered in the system. with PowerShell command which performs the necessary installation actions including installation into the GAC, and registration with DCOM interfaces which are required for authentication.
Bellow command installs SecureMFA WIN OTP Provider on Windows for RDP sessions only (Console access is not affected) and points provider to API endpoint URL which is used for OTP codes validations. To lock down Windows OS with MFA for all sessions you must use -RDPonly $false parameter. Anchor parameter specifies OTP user’s suffix which is used in “SecureMfaOTP” database.
To verify if “SecureMfa WIN OTP Provider” has been installed successfully.
RDP into your workstation and confirm that you require to enter TOTP code together with your standard credentials.
OTP Account Creation for Users
Windows OTP Provider enforces second factor authentication in addition to user's password to enforce strong authentication. User must enroll mobile device by scanning QR code with mobile application like Google's Authenticator Microsoft Authenticator, Symantec VIP and potentially in many other time-based authenticators which supports RFC6238 ( a Time-Based One-Time Password (TOTP) Algorithm).
Windows OTP Provider doesn’t have ability to generate QR codes for enrolment , but you can enroll users by using one of the following options:
Install ADFS with OTP Provider and Web Portal for Users self-service OTP Enrolment. For more details click HERE.
This feature only works for licensed providers when performing offline TOTP authentication. For online lockouts when TOTP validation is performed against SecureMFA WEB API Portal API endpoint the setting will not have any impact as lockout behaviour will be dictated by SecureMFA WEB API Portal configuration settings. If you set “totp_offline_ui_login_failures” more than a zero and user reaches this number of attempts during offline TOTP authentication user’s account will be locked out for a period of time set in " totp_offline_ui_lockout_minutes" . If you want to disable this feature you must set “totp_offline_ui_login_failures” to zero.
Encryption customization only works for licensed providers. Unlicensed providers will use following passphrase for encryption and decryption operations: "d9GhT=7=Ox8-+LaZ". It is used to decrypt API responses and local data which is used for offline authentication. AES 256-bit encryption is created with AesManaged class in the System.Security.Cryptography module: This class uses Windows CryptoAPI (CAPI) which uses FIPS-compliant .NET Assemblies. The cipher mode is Cipher Block Chaining (CBC). The passphrase can be configured in configuration file and it is recommended to be between 16-18 random characters. It is salted with 16 bytes string, zero padding and 4 key iterations. Full documentation on “AesManaged .NET class” can be found in Microsoft documentation for “System.Security.Cryptography.AesManaged“ constructors)
Enable Offline TOTP validations
This feature only works for licensed providers. To allow offline TOTP validation when API endpoint may not be accessible when device travels to remote locations. You can enable OTP offline logins by settings “totp_offline_secret_valid_days” value above zero. Users can synchronise secret data which is required to validate TOTP codes when device is used offline.
User must have a valid TOTP code to receive account’s secret data and “SecureMFA WEB API Portal API endpoint” must be accessible. Data which received in HTTP message and later stored locally for offline use is always encrypted and validated against tampering or packet replay attempts.
Value set in “totp_offline_secret_valid_days” indicates how long offline secret synchronization is valid for TOTP authentication before user must resynchronise data from SecureMFA WEB API Portal API endpoint. 0 – disables offline authentication feature.
To uninstall “SecureMFA WIN OTP Provider” use bellow PS command. This will unregister custom provider and set original windows authentication providers as the main one.
Secrets and identity data is always encrypted in TRANSIT and REST using AES 256-bit encryption.
Each API request has unique state value which is encrypted with data. It allows to validated against HTTP packet tampering or packet replay attempts.
The below system events in Windows Event log may be used to verify and troubleshoot SecureMfa WIN OTP Provider:
Windows Application Event:
Patching and Upgrades
Provider is highly integrated with MS Framework classes and uses Windows OS components to deliver functionality.
To keep up to date with latest security updates you must constantly update your Operating System and MS Framework components using Microsoft Security updates.
For any feature updates please upgrade a provider by pulling latest version from PowerShell Gallery by using bellow command:
Install-Module -Name SecureMFA_WIN_OTP -Repository PSGallery -Scope AllUsers -Froce
You’ll need to repeating all deployment steps as it was done for original installation.
Bellow video shows how quickly you can setup required components to enable MFA authentication on a Windows device.