Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (2024)

In this article, we will show how to implement two-factor authentication (2FA) for users on a Windows domain using the free open-source multiOTP package. MultiOTP is a set of PHP classes and tools that allows you to implement an on-premises strong authentication server for HOTP and TOTP (Time-based One Time Password). You can use it both in Windows and in any other operating system (via RADIUS) to enable 2FA with a one-time password.

Once multiOTP is deployed, Windows prompts a user to enter a one-time password (OTP) that they receive from their mobile device/smartphone (from Microsoft or Google Authenticator, or another OTP generator). You can enable two-factor authentication for users to log in to Windows workstations or to access RDS hosts on Windows Server over RDP.

MultiOTP offers offline operation (doesn’t need Internet access), so you can use it to configure multi-factor authentication in disconnected environments. Most similar apps are commercial or require direct Internet access.

Contents:

  • Installing MultiOTP in Active Directory Domain
  • Configuring MultiOTP Two-Factor Authentication for Domain Users
  • How to install and Configure MultiOTP CredentialProvider on Windows?

Installing MultiOTP in Active Directory Domain

In this section, we’ll show how to install multiOTP on Windows Server 2019 and configure user synchronization from Active Directory.

You can also deploy multiOTP using an OVA image for a VMware/Hyper-V virtual machine, or a Docker container.

Let’s start with the configuration of a multiOTP server that will get users from Active Directory, generate unique QR codes for users, and validate the second factor.

Create a security group in Active Directory and add users to it who will be required to pass the second-factor verification when logging into Windows. Create a group using PowerShell:

New-ADGroup 2FAVPNUsers -path 'OU=Groups,OU=Munich,dc=woshub,DC=com' -GroupScope Global -PassThru –Verbose

Add users to the group:

Add-AdGroupMember -Identity 2FAVPNUsers -Members j.smith, k.berg, m.bakarlin

Create a new user in AD multiOTP that will be used to access the AD catalog (with minimal privileges):

$passwd = ConvertTo-SecureString -String "Paa32ssw0rd!" -AsPlainText -Force
New-ADUser -Name "multiotp_srv" -SamAccountName "multiotp_srv" -UserPrincipalName "[emailprotected]" -Path "OU=ServiceAccounts,OU=Munich,DC=woshub,DC=com" –AccountPassword $passwd -Enabled $true

Download the multiOTP archive – https://download.multiotp.net/.

Open the multiotp_5.9.2.1.zip archive and extract the windows directory from it to a folder on your local drive (C:\MultiOTP).

Open the command prompt and go to the directory containing multiotp.exe:

CD C:\MultiOTP\windows

Using the commands below, we will configure MultiOTP LDAP settings to get users from the Active Directory database.

multiotp -config default-request-prefix-pin=0
multiotp -config default-request-ldap-pwd=0
multiotp -config ldap-server-type=1
multiotp -config ldap-cn-identifier="sAMAccountName"
multiotp -config ldap-group-cn-identifier="sAMAccountName"
multiotp -config ldap-group-attribute="memberOf"
multiotp -config ldap-ssl=0
multiotp -config ldap-port=389

REM Domain controller IP address:

multiotp -config ldap-domain-controllers=mun-dc1.woshub.com,ldap://192.168.15.15:389
multiotp -config ldap-base-dn="DC=woshub,DC=com"

REM Account for multiOTP authentication in AD:

multiotp -config ldap-bind-dn="CN=multiotp_srv,OU=ServiceAccounts,OU=Munich,DC=woshub,DC=com"
multiotp -config ldap-server-password="Paa32ssw0rd!"

REM Group of users you want to enable OTP for:

multiotp -config ldap-in-group="2FAVPNUsers"
multiotp -config ldap-network-timeout=10
multiotp -config ldap-time-limit=30
multiotp -config ldap-activated=1

REM Key to access a MultiOTP server:

multiotp -config server-secret=secret2OTP

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (1)

You can find a detailed description of all options in HOW TO CONFIGURE MULTIOTP TO SYNCHRONIZED THE USERS FROM AN ACTIVE DIRECTORY section of https://download.multiotp.net/readme_5.9.7.1.txt .

Earlier we created the 2FAVPNUsers group and added 3 users to it. Synchronize AD users with multiOTP.

multiotp -debug -display-log -ldap-users-sync

LOG 2022-09-17 14:36:44 info LDAP Info: 3 users created, based on 3 LDAP entries (processed in 00:00:00)LOG 2022-09-17 14:36:44 debug System Info: *File created: c:\MultiOTP\windows\.\users\j.smith.db

In this case, multiOTP has found 3 users and synchronized them.

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (2)

To regularly synchronize new Active Directory accounts, create a Task Scheduler job using the command below:

multiotp -debug -display-log -ldap-users-sync

Run webservice_install.cmd as administrator. It will install multiOTP web management interface.

Sign-in MUltiOTP web interface (http://127.0.0.1:8112/) using default credentials (user: admin, password: 1234). Then it is recommended to change it.

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (3)

Configuring MultiOTP Two-Factor Authentication for Domain Users

In the List of users section, you will see a list of domain users synchronized earlier (AD/LDAP source).

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (4)

Select a user and click Print. You will see a user QR code to add to the authentication app.

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (5)

Install the Microsoft Authenticator (or Google Authenticator) from Google Play or App Store on the user’s smartphone. Open it and scan the user’s QR code.

Then a new user account appears in the Authenticator app, which generates a new six-digit password (the second factor) every 30 seconds.

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (6)

In the command prompt, you can make sure that multiOTP allows authenticating this user with OTP:

multiotp.exe -display-log j.smith 130186

where 130186 is a one-time password you get from the app.

LOG 2022-09-17 15:13:11 notice (user j.smith) User OK: User j.smith successfully logged in with TOTP tokenFilter-Id += "2FAVPNUsers"

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (7)

You can also make sure that OTP is working correctly through the web interface. Go to Check a user section, enter a user name and a one-time password.

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (8)

How to install and Configure MultiOTP CredentialProvider on Windows?

The next step is to install multiOTP-CredentialProvider on Windows computers you want to implement two-factor authentication using multiOTP. You can install CredentialProvider on any Windows 7/8/8.1/10/11 or Windows Server 2012(R2)/2016/2019/2022 host.

In this example, we will enable 2FA for RDP users to log in to an RDSH server running Windows Server 2019.

Download and install multiOTP CredentialProvider from GitHub https://github.com/multiOTP/multiOTPCredentialProvider/releases. The last available version is 5.9.2.1.

Run the installation:

  1. Specify the IP address of the server multiOTP is installed on.

    Remember to open a firewall port on the multiOTP server and client. You can open a port in Windows Firewall on a server using PowerShell:
    New-NetFirewallRule -DisplayName "AllowMultiOTP" -Direction Inbound -Protocol TCP –LocalPort 8112 -Action Allow

  2. Enter the secret key from the multiOTP configuration ( server-secret) in the field Secret shared with multiOTP server; Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (9)
  3. Select Windows logon type to apply OTP authentication. In our example, we will use 2FA for RDP logins only (OTP authentication mandatory for remote desktop only). Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (10)

You can enable OTP authentication both for RDP and local logons.

MultiOTP CredentialProvider keeps its settings in the registry: HKEY_CLASSES_ROOT\CLSID\{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}. If you want, you can change CredentialProvider settings here without reinstalling agent.

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (11)

Restart the Windows Server RDS host and try to connect to it via RDP. After you enter your user credentials, a new one-time password window appears. Here you must enter a one-time password from your Authenticator app on your smartphone.

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (12)

If NLA for RDP is disabled on the RDS host, a user will just see three fields (username, password, and OTP).

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (13)

You can enable logging on your multiOTP server, it is useful for debugging:

multiotp -config debug=1
multiotp -config display-log=1

Your script is running from C:\MultiOTP\windows\2022-09-17 15:21:07 debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 1 0 MUN-SRVOTP12022-09-17 15:21:07 debug Server-Client Info: *CheckUserToken server request. 0 MUN-SRVOTP12022-09-17 15:21:07 notice j.smith User OK: User j.smith successfully logged in (using Credential Provider) with TOTP token 0 MUN-SRVOTP12022-09-17 15:21:07 debug Server-Client Info: *Cache level is set to 1 0 MUN-SRVOTP12022-09-17 15:21:07 debug Server-Client Info: *Server secret used for command CheckUserToken with error code result 0: secret2OTP 0 MUN-SRVOTP1

Remember to make sure that your AD domain synchronizes time with a reliable time source and client devices have the correct time. These are critical to the operation of OTP.

Anyway, before bulk multiOTP-based 2FA implementation in your network, we recommend testing all operation modes and emergencies (multiOTP server or DC unavailability, CredentialProvider errors, etc.) within a couple of weeks. If any serious issues with multiOTP logon occur, you can uninstall CredentialProvider in the Safe Mode.

So, the configuration of multiOTP two-factor authentication in Windows Server is over. There are also scenarios of using multiOTP with a RADIUS server to authenticate almost any type of client using OTP. You can use OTP for extra protection of the RDP server against brute force attacks together with Windows Firewall rules.

Enable Two-Factor Authentication (2FA) in Windows with MultiOTP | Windows OS Hub (2024)

FAQs

How do I enable two-factor authentication on Windows? ›

How to use two-step verification with your Microsoft account
  1. Sign in to your Microsoft account Advanced security options. Sign in.
  2. Under Additional security and Two-step verification choose Turn on or Turn off.
  3. Follow the instructions shown on the screen.

How do I enable MFA on Remote Desktop Connection? ›

Navigate to Configuration > Multi-factor Authentication > Authenticators Setup. Click the Choose the Policy drop-down, and select the policy for which you wish to enable MFA. This policy will determine which users will have MFA for RDP logins enabled.

How do I set up 2 step verification on my computer? ›

Turn on 2-Step Verification
  1. Open your Google Account.
  2. In the navigation panel, select Security.
  3. Under “How you sign in to Google,” select 2-Step Verification. Get started.
  4. Follow the on-screen steps.

How to enable two-factor authentication in Web Host Manager? ›

To configure 2FA, perform the following steps:
  1. Click Set Up Two-Factor Authentication.
  2. Link your cPanel account and your 2FA app: ...
  3. Within your 2FA app, retrieve the six-digit security code. ...
  4. Enter the six-digit security code in the Security Code text box. ...
  5. Click Configure Two-Factor Authentication.
Jun 13, 2024

How do I enable Windows authentication in Windows features? ›

In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then World Wide Web Services, then Security. Select Windows Authentication, and then click OK.

How do I enable integrated Windows authentication? ›

Open the Windows Control Panel and go to Network and Internet > Internet Options. On the Advanced tab, select Enable Integrated Windows Authentication.

Does RDP support two-factor authentication? ›

How does 2FA for Windows RDP work? Initial Login: Users enter their Active Directory (AD) domain credentials or use miniOrange to verify their identity. Second Factor: Users receive a time-sensitive authentication code via SMS, email, or a third-party authentication provider. They must enter this code to proceed.

How do I enable MFA on Windows Server? ›

Go to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints. Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users. ADSelfService Plus allows you to create OU and group-based policies.

How do I allow Remote Desktop with Network Level Authentication? ›

System and Security Settings
  1. Access System and Security in the Control Panel.
  2. Click on Allow Remote Access.
  3. Under Remote Desktop, choose Allow remote connections to this computer.
  4. Select Allow connections only from computers running Remote Desktop with Network Level Authentication.

How do I turn on multi-factor authentication? ›

Turn on MFA for each account or app!
  1. Go to Settings. It may be called Account Settings, Settings & Privacy or similar.
  2. Look for and turn on MFA. It may be called two-factor authentication, two-step authentication or similar.
  3. Confirm. Select which MFA method to use from the options provided by each account or app.

How do I enable 2-step verification in admin console? ›

Navigate to Menu > Security > Authentication > 2-step verification. Select the organizational unit where the user(s) are currently located. Check the option Allow users to turn on 2-Step Verification. Click Save.

How do I turn on Two-factor authentication on Business Suite? ›

Turn on the two-factor authentication requirement
  1. Go to Business settings.
  2. Click on Business info.
  3. Scroll down to Business options.
  4. Click the dropdown menu next to Two-factor authentication.
  5. Select Admins only or Everyone to choose who this requirement applies to.

How do I enable MFA authentication methods? ›

Enable and disable verification methods

Browse to Identity > Users. Select Per-user MFA. Under Multifactor authentication at the top of the page, select Service settings.

Does Windows 11 have two-factor authentication? ›

Microsoft accounts come with support for two-step verification (also known as "two-factor authentication," "2FA," or "multi-factor authentication") to add a second layer of verification to increase security, making it harder for hackers to gain access to your data and your Windows 11 computer.

How do I enable password authentication in Windows? ›

Enable password login in Windows 10

If you have previously disabled it, or it isn't enabled for some reason, do this: Type 'netplwiz' into the Search Windows/Cortana box. Put a check in the box next to 'Users must enter a username and password…' and then click Apply. Click OK to save changes.

Does Microsoft require two-factor authentication? ›

Microsoft does not make it mandatory to enable two-factor authentication. Meanwhile kindly note If your tenant was created on or after October 22, 2019, security defaults may be enabled in your tenant. To protect all of our users, security defaults are being rolled out to all new tenants at creation.

How do I enable multi-factor authentication? ›

Turn on MFA for each account or app!
  1. Go to Settings. It may be called Account Settings, Settings & Privacy or similar.
  2. Look for and turn on MFA. It may be called two-factor authentication, two-step authentication or similar.
  3. Confirm. Select which MFA method to use from the options provided by each account or app.

References

Top Articles
Raw Oreos Recipe (Vegan & Gluten-free)
Mayonnaise Recipe (Super Easy!) | Downshiftology
Tiny Tina Deadshot Build
Joi Databas
Craigslist Mpls Mn Apartments
Ventura Craigs List
Vanadium Conan Exiles
Obituary Times Herald Record
Full Range 10 Bar Selection Box
What Is Njvpdi
What is Cyber Big Game Hunting? - CrowdStrike
978-0137606801
Learn2Serve Tabc Answers
The Ultimate Style Guide To Casual Dress Code For Women
Itziar Atienza Bikini
St Maries Idaho Craigslist
Sadie Proposal Ideas
Vandymania Com Forums
Vigoro Mulch Safe For Dogs
Hyvee Workday
Sussyclassroom
Bidevv Evansville In Online Liquid
Asteroid City Showtimes Near Violet Crown Charlottesville
Pain Out Maxx Kratom
Keyn Car Shows
Xxn Abbreviation List 2017 Pdf
Superhot Free Online Game Unblocked
Tokioof
Ff14 Sage Stat Priority
Mark Ronchetti Daughters
"Pure Onyx" by xxoom from Patreon | Kemono
How To Make Infinity On Calculator
Drabcoplex Fishing Lure
How are you feeling? Vocabulary & expressions to answer this common question!
Ksu Sturgis Library
Merkantilismus – Staatslexikon
Htb Forums
2020 Can-Am DS 90 X Vs 2020 Honda TRX90X: By the Numbers
Www.craigslist.com Waco
Tunica Inmate Roster Release
Pulaski County Ky Mugshots Busted Newspaper
Pike County Buy Sale And Trade
Spurs Basketball Reference
Iman Fashion Clearance
Caesars Rewards Loyalty Program Review [Previously Total Rewards]
Minterns German Shepherds
Kushfly Promo Code
Food and Water Safety During Power Outages and Floods
antelope valley for sale "lancaster ca" - craigslist
Craigslist Com Brooklyn
Latest Posts
Article information

Author: Fr. Dewey Fisher

Last Updated:

Views: 6062

Rating: 4.1 / 5 (42 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Fr. Dewey Fisher

Birthday: 1993-03-26

Address: 917 Hyun Views, Rogahnmouth, KY 91013-8827

Phone: +5938540192553

Job: Administration Developer

Hobby: Embroidery, Horseback riding, Juggling, Urban exploration, Skiing, Cycling, Handball

Introduction: My name is Fr. Dewey Fisher, I am a powerful, open, faithful, combative, spotless, faithful, fair person who loves writing and wants to share my knowledge and understanding with you.