TwoFactor WHS addin published

I’ve published the first release of my Windows Home Server addin, which allows for two factor authentication for the WHS remote access website via the Yubikey hardware token. The plan is, in the future, to also support some software based tokens. Maybe I’ll even whip up an implementation of OATH HOTP for a few devices if I can’t find suitable open source solutions.

Let me know what you think of the addin, and please submit any bugs or feature suggestions. I’m interested in the community auditing the code for security flaws, as I’d like this to be as sound as possible.


12 Responses to TwoFactor WHS addin published

  1. Sam says:

    Hi Graham,

    It’s a bit of a tangential question to what you were working on, but since you’ve been poking around inside the authentication mechanism for the WHS Remote Access website, have you got an understanding of where the authentication state is stored throughout the session? I want to add additional “tabs” to the homepage (eg. mail, CVS, etcetera) and I’d like them to only be accessible from within a logged-in WHS session. Any tips where in the WHS website code to borrow the code I need to ensure that visitors to my new pages have already been authenticated?

  2. Christian says:

    Interesting add-on.

    There is a 40% discount offer on Yubikeys. Details in SecurityNow Podcast at – Just search for Yubikey in the text for the details on how to get the discount.

  3. Ted V says:

    So far, this works well. I would recommend it to anyone!

  4. John says:

    I’m having problems with this addon. I’ve successfully installed it in the past, then after a server reinstall my login page is not updated with the Yubikey box. The only error that I received had something to do with the page associated with the server login.

  5. Kevin says:

    I am planning on installing this on my WHS soon… But I see that there has not been any activity on the download page since July of 2009. Is this product still being developed or supported?

    Thank you!

    • grahammurray says:

      Haven’t really needed to do any maintenence. It’s a pretty simple piece of software. It’s running on my whs 😉

  6. Jesse says:

    Have you given any thought to enhancing this for additional authentication methods? Specifically, a paper list of one time passwords?

    I’ve been watching this for a while and what I’d really love is a way to use a printable list of one time passwords (auto generated, or that I would input myself, or load a text file, or whatever’s easiest for you!). I carry around a small scrap of paper with one-time-passwords for work systems and it’s perfect for me. Smaller than a token and you can’t beat the price!

    • grahammurray says:

      Yeah, I’ve been considering it. Been waiting till I have a bit of time on my hands. I’m pretty interested in trying to add a phone factor option too. Anyone know of an iPhone app that generates some open standard OTPs? Maybe I’ll have to make that too….

  7. Jason says:

    OK, you seem pretty upset that MS nuked DE in WHS2011 (I am with you). I suppose this means you are sticking with v1 and not going to bring this to 2011? If you do decide to go 2011 with drive bender or similar I think there would still be some interest in your two-factor solution.

  8. Roger says:

    Graham, TwoFactor WHS is a great addin, my server is a lot more secure from using this. I’ve got a copy of WHS 2011, and am thinking about upgrading – it there any possibility of a version of TwoFactor WHS for 2011? What would it take? 😉

    • Graham Murray says:

      Roger, because MS is basically dropping WHS, I’ve decided to live with using Windows 8 as a home server (Storage Spaces is pretty neat). If it works out I might consider purchasing Server Essentials 2012, but I think that product is too expensive for home use, to be honest.

      As such, I’m pretty demotivated to work on the add in, unfortunately. But the code is available on CodePlex, so someone with the required programming skills and motivation may be able to adapt it to 2011.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: