Bind additional one-time passwords to the Windows login window

How does it all work
All the functionality of the solution rests on the wonderful multiotp project , open source PHP software that can work both with TOTP and HOTP , and even with OCRA . And you can run this beauty in * nix and in Windows. There is even a web interface and releases for virtualization systems, but it's up to you to dig yourself, we will outline the minimum set of actions necessary to start.
Binding mutltiotp to the Windows login window is done using the MultiOneTimePassword-CredentialProvider plugin .
The user will generate one-time passwords on his computer or mobile device.
The procedure is indicatedon the plugin page, but the syntax has changed in the latest multiotp version, so I will go through all the steps for you again.
Install multiotp service
Download multiotp and place it somewhere on the server. I will throw C: \ multiotp in the root of the system drive.
Key generation
Then you need to create a key for each user wound up on the server. I emphasize - we are talking about local users. Multiotp has the ability to bind to ldap, but this is too big a topic for one article.
Creating users will require 160-bit HEX keys (i.e. 20 characters in hexadecimal notation). You can (and should) generate them yourself in a protected environment, for laboratory purposes I will offer you this generator . Indicate the key length (20) and the number of users in your system, he will do everything himself. Save these keys somewhere, they will be useful to us further.
Create custom keys
The user creation command looks like this (by itself in cmd, go to the directory with unpacked multiotp):
multiotp.exe -debug -create %USERNAME% %TOTP% %KEY% %PIN% %LENGTH% %LIVETIME%
where % USERNAME% is the name of the user account in Windows;
% TOTP% - creating keys for TOTP technology (based on time stamp);
% KEY% - the key created in the previous step;
% PIN% - an additional permanent pin that the user will append before his temporary password (you can not use it, but the command requires you to specify some key);
% LENGTH% - the length of one-time passwords (6-character ones are recommended, since most applications generate them);
% LIVETIME% - expiration of one-time passwords (it is recommended to specify 30 seconds, since most applications generate them).
Example:
multiotp.exe -debug -display-log -create rdpclient1 TOTP 6696f39315f4c6388216 1234 6 30
those. created a key for the user rdpclient1 with pin 1234 (the command syntax requires you to specify a pin, even if we plan not to use it);multiotp.exe -debug -display-log -set user pin=
those. said that the pin is not really needed.Key conversion for users
Now we need to somehow pass on the users key so that they can generate one-time passwords at home. The full multiotp functionality allows you to create a QR code through the web interface, which we shoot on our phones and continue to work with them. I show minimal functionality without an interface, so I have to work with my hands.
You will need the keys created in the second step to convert from a 160-bit HEX to Base32. Again, it’s better to do this in your own environment, to whom laziness is, here you have an online converter . It doesn’t even have https, so be careful with it. It seems to work clearly, pay attention to case when entering keys.
Key Generation Applications
The converted keys must be given to the user. There are tons of mobile OS apps that can generate one-time passwords. I love Google Authenticator , it works on most OS. If you want to indulge and not clog your mobile device, you can put the plug- in in your browser.
The application or plug-in needs to specify the key created in the fourth step. There is nothing complicated, I think you will figure it out for yourself.
Checking the service
To check the correct operation of the multiotp service, you should test the generated keys on the command line as follows:
multiotp.exe -display-log user %GENERATED_TOKEN%
where user is the username in Windows; % GENERATED_TOKEN% - the key generated by the application on the mobile device (watch the time, you have only 30 seconds from the moment the password was generated) The
answer on the command line should look like this:
0 OK: Token accepted
Connect authorization plugin in Windows
Little is left - download and install the plugin for Windows. The installer asks a few questions. You need to install the “Default Provider” component (otherwise it will not do anything), specify the path to multiotp and write a message for the Windows login window.
Done. You can check the work.
Nuances:
1) Be sure to create passwords for everyone, including for the administrator, otherwise he will not be allowed into the system.
2) Be sure to set the exact time on the server and on users' devices, otherwise your keys will not work. The point is not precisely in accuracy, but in the fact that time must coincide there and there.
3) Sometimes it does not show the result on the command line, but you can always read the log.
4) If you are interested in how to tie this beauty to the domain - tell me, I'll try and unsubscribe.
5) The functionality is huge, everything is on the multiotp wiki : SMS, QR, synchronization, backup, binding to anything.
Those who like to perceive information visually can be useful this video .
UPD:
I received incredibly good comments and clarifications from a friend who wanted to remain anonymous:
1) At the very beginning of the server setup, enter the command:
multiotp.exe -debug -config default-request-prefix-pin=0 display-log=1
after it, you do not need to enter a pin code when setting up the user, and the display of the log of each operation in the console is turned on. 2) With this command you can adjust bantime, for users who make a mistake with the password (30 sec by default):
multiotp.exe -debug -config failure-delayed-time=60
3) What will be written in the google Authenticator application over 6 digits, called issuer, can be changed from the default MultiOTP to something else:
multiotp.exe -debug -config issuer=other
4) After the operations done, the user creation command becomes a little easier:
multiotp.exe -debug -create user TOTP 12312312312312312321 6
(I do not set the time for updating the digits equal to 30 seconds, it seems by default it is 30). 5) Each user can change the description (the text under the numbers in the Google Auth application):
multiotp.exe -set username description=2
6) QR codes can be created immediately in the application:
multiotp.exe -qrcode username c:\multiotp\qrcode\user.png:\multiotp\qrcode\user.png
7) You can use not only TOTP, but also HOTP (not the current time, but the value of the incremental counter is fed to the input of the hashing function):
multiotp.exe -debug -create username HOTP 12312312312312312321 6
multiotp.exe -resync user 061735 729371
8) If the user has forgotten / lost the phone, you can generate a dozen one-time codes using the command:
multiotp.exe -scratchlist username
9) And good explanations