This project is read-only.
Project Description
Enables Two-Factor authentication for the remote access site for Windows Home Server. Currently compatible with the Yubikey, more to follow.

IMPORTANT: Use is at your own risk, please review all license terms before use.


Current releases support enabling two-factor authentication by utilizing the Yubikey dongle from Yubico. The Yubikey is an inexpensive hardware token for generating one time passwords. The extremely useful aspect of its operation is that all the backend software is open source, so, while yubico runs its own validation servers, which you can validate against, you also have the ability to run/modify the servers yourself, all at only the cost of the hardware tokens ($25, at the time of writing).

TwoFactor WHS works by modifying the remote access logon page for the WHS site to contain an additional textbox that can take a one time password from the token. It also adds code to the page such that when the submit button is clicked, the OTP is first validated against a Yubikey validation server, and if this fails, the normal password which is en route to the WHS password handling, gets shredded and becomes unusable.

I started this project because I want some stronger authentication models for the Windows Home Server. This project is open source partly because I would appreciate if the community at large would help audit the code for any flaws that I have overlooked, so that we can help move the security of the platform forward.

I will be looking into supporting other methods for performing multifactor for WHS over time. I'm especially interested in software tokens that could run on the iPhone or Windows Mobile Devices, etc. The benefit of the Yubikey, of course, was low cost of ownership, so other models would have to be similarily cheap, or free.

If you find this project useful, and are feeling generous, you could buy me a beer or two

For more info about this project and others see my blog


Important: If you use other addins that modify the logon.aspx page of the remote website, then this addin may interfere with their state and function. TwoFactor WHS is designed in such a way so as to minimize the probability of bad interactions in this regard, but caution is recommended.
  • Before configuring the addin to work on your WHS you must retrieve an api key from yubico (unless you are running your own yubikey validation server) at You will be furnished with an app ID and app Key. You will enter these when configuring TwoFactor WHS.
  • Copy the downloaded msi into the addins folder in you whs share (usually \\server_name\Software\Add-Ins)
  • Open the WHS console, and on the addins settings tab, select install for TwoFactor WHS
  • The console will reset.
  • Now you can open the settings tab and navigate to the Tab for TwoFactor WHS
  • If you are using a non default validation server, change the url for the api.
  • Enter the app id you obtained.
  • Enter the app key you obtained.
  • Check the redirect checkbox.
  • For each WHS user that will need to use the remote access site, determine their yubikey's public id (the first 12 characters of the password it generates, the part that doesn't change between uses) and then enter each on a line in the users textbox like so (the username and the public id are seperated by a | (pipe) character):
    • bob|ksjamakslaksi
    • jeff|laisnskalmei
  • click OK
  • now when you log onto the remote access site you should be prompted for entering a one time password.
  • if you want to revert, reopen the TwoFactorWHS tab, uncheck the redirect checkbox, and then click ok.

Last edited Jul 21, 2009 at 10:23 PM by gmurray, version 13