Multi-factor authentication with SecureUSB and Rohos for Windows and Mac login

Multi-factor authentication with SecureUSB and Rohos for Windows and Mac login

The SecureUSB and SecureDrive storage devices not only provide highly secure protection for valuable data. Thanks to the extension with Rohos Logos Key, the SecureUSB has become an incredibly strong two- or multi-factor authenticator.

Rohos recommends using a hardware-encrypted SecureData SecureUSB® Duo device in conjunction with the Rohos Logon Key for two-factor authentication during Windows or Mac logon. This provides an additional layer of security. The SecureUSB Duo hardware-encrypted USB flash drive provides host/OS-independent user authentication according to military standards. User authentication can be done via the physical keypad on the USB drive or via your smartphone using the free user app (iOS or Android).

Windows login with SecureDrive USB flash drive

When using the keypad, you can either plug it into any open USB port on any computer and enter a 7-64 digit PIN (password) to unlock the drive, or press the key button, enter the PIN, and then plug it into any open USB port.
If using the phone for authentication, the user must download the free app from the App Store for iPhones or the Google Play Store for Android devices. To unlock the drive using the app, the drive must be connected to the host and then the app must be opened on the phone. Using a smartphone for user authentication provides additional layers of security that can be set up in the app. 2FA (2-factor authentication) or biometrics can be used to unlock the disk. After the data carrier has been successfully unlocked with the keypad or the app, the Rohos Logon set up on the USB stick can be used for secure logon to the device as with conventional security keys (Swissbit FIDO2, Yubico, Titan, etc.).

Rohos Logon Key is the only solution on the market that allows anyone to set up redundant two-factor authentication using multiple 2FA methods at the enterprise or user account level. For Rohos Logon Key, it is recommended to set up PIN recovery in case the PIN is forgotten.

Highly secure and simple storage devices with unique user profile protection

One of the most important unique features of SecureUSB Duo is that the PIN code verification mechanism is isolated from the USB port communication at the hardware level. Only after successful PIN code verification, the device's USB communication is enabled, allowing the computer to communicate with the drive via the USB port. Before the drive is unlocked by successful user authentication, it is impossible to communicate with the device hardware through the USB port. The drive is invisible to the computer (as the saying goes, "You can't hack what you can't see"). This is an important security feature, as it prevents malware and attackers from affecting or exploiting the device while it is connected to the computer in locked mode, without entering the correct pin code. For example, it is not possible to retrieve the device's serial number when it is locked because USB communication is interrupted. As an alternative to the integrated keypad, the user can use the SecureData Lock app to enter the correct PIN or use biometrics to authenticate and unlock the SecureUSB. Once the drive is plugged in, the red lock on the drive will flash, indicating that it is establishing an encrypted wireless connection between the drive and the phone. After this is done, the user presses the lock on the phone and the drive is unlocked by either PIN entry, biometrics, or password storage, depending on which option the user selected. If 2FA is selected, an SMS code is sent to the phone for verification.

How to configure SecureUSB Duo for Windows login

SecureUSBs are password-protected flash drives that use real-time military-grade XTS-AES 256-bit hardware encryption. They are designed to protect data from break-ins or from unauthorized users trying to access a lost or stolen drive.
First, the Rohos Logon Key is installed on the computer and the SecureUSB is configured normally according to the user manual. Then the "Set up authentication key" dialog needs to be opened in Rohos Logon Key.

  1. Configure your SecureUSB normally according to the user manual. Define the desired password for the USB stick and the guidelines for unlocking. Instructions on how to do this can be found here.
  2. Install Rohos Logon Key on your computer (download from official site here) and run the program.

  3. Connect the SecureUSB to your computer and unlock it. After that, select "Set up authentication key" in the Rohos Logon Key window (picture above).
  4. Select USB flash drive and confirm with "Setup Key". The setup of the hardware token is now completed.

  5. Afterwards you can (optionally) make your desired settings for 2FA control policies in the options.

2FA benefits with SecureUSB Duo

Secure authentication using SecureUSB Duo in combination with Rohos Logon Key benefits from the following device features.

High-security mode: OS-independent pin code authentication thanks to a rechargeable battery in the device. Real-time military-grade AES-XTS 256-bit hardware encryption to protect user login profile data.

  • The PIN must consist of at least 8 digits.
  • Brute force protection for PIN codes. After 10 consecutive incorrect PIN attempts, the drive's hardware key is destroyed (crypto-shredding).
  • In addition to the hardware-based PIN code, Rohos Logon allows the definition of a software-based PIN code for each device in conjunction with Rohos centralized 2FA database in Windows Active Directory. The Rohos PIN code can be set/changed by the administrator at any time, regardless of the state of the SecureUSB connection.
  • Read-only mode for USB drive memory allows restricting its use as an access key for logging in to the computer.
  • Inactivity Auto-Lock automatically stops USB communication and removes the drive from Windows after a specified time between 1 and 60 minutes.
  • When using the app, users can set Auto-Lock to lock the drive when they walk away from the drive and have their cell phone with them.