Closed jonathanmmm closed 3 years ago
Hello, By default OTP is disabled for UAC but you can activate it in the registry. By default HKCR\CLSID{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}\cpus_credui has the value 3d, please change it to 0e. It will force OTP when UAC propt for password. Best regards
@multiOTP thanks, maybe this could be in the Wiki I found the folder in registry (opened with admin rights), but cpus_credui doesn't exist. I will add it (as 32Bit Word) and look, what happens.
I restarted the Laptop and it didn't work. I have to say, the name of the only local admin account on this machine gets prefilled.
Did you setup the Credential provider using the msi installer. Because the installer creates the key and I'm wondering if you are using the last version of the credential provider.
I had some previous version updated via multiOTPCredentialProvider-5.8.2.9.exe SHA1: 90F260905827D59A083A9333D54E126695B742F7 downloaded https://download.multiotp.net/multiotp_5.8.2.9.zip
Can you please try the latest version : https://download.multiotp.net/credential-provider/multiOTPCredentialProvider-5.8.3.0.zip
Please backup the registry, uninstall and install version 5.8.3
I am leaving shared secret empty, right and tick "no remote server, local multiOTP only", right?
Which Authenticatio Mode should I choose? "OTP authentication mandatory for remote remote desktop only" "OTP authentication mandatory for local logon and remote desktop" "OTP and std auth. for local and remote (to check OTP validation)"
I would say second or third option, but don't know which. I want only to use it locally to login and for UAC.
I would suggesst : "OTP authentication mandatory for local logon and remote desktop" and then do not forget to go to the registry and change the key : HKCR\CLSID{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}\cpus_credui with value 0e
Ok, thanks, cpus_credui has appeared and it works now.
Is there a way to make it prefill the username (like logging in in windows in the beginning)?
Maybe about the difference between option 2 and 3 could be more described.
Hello, we don't think it's technically possible to prefill the username. By option 2 and 3, what do you mean ? Best regards
I am leaving shared secret empty, right and tick "no remote server, local multiOTP only", right?
Which Authenticatio Mode should I choose? "OTP authentication mandatory for remote remote desktop only" "OTP authentication mandatory for local logon and remote desktop" "OTP and std auth. for local and remote (to check OTP validation)"
I would say second or third option, but don't know which. I want only to use it locally to login and for UAC.
Mode 2 and 3 descriped here
Hi,
I am using multiOTP on my Windows Laptop locally, with local accounts (no server, no microsoft account to login). It works and secures my user accounts. I created an admin account so that I get the UAC prompt when I need administration privileges, but it just needs the password. This means also any person if logged in can try to break the admin password to get administrator priviliges.
Is there a way or is it possible to add this, so that UAC also asks for the OTP token?