Remote Desktop (RDP) using One-time Passwords (OTP) via Single Sign-on (SSO)? Oh yeah!

The Original DDT
Hybrid Security Superheroes
3 min readNov 28, 2018

--

So, you’ve just deployed yet another Windows VM in the Cloud, what’s next? Well, you’re probably going to open a Remote Desktop (RDP) session to it, and perform some configuration and management tasks.

In other words you are going to:

  • Select the VM you want to RDP into
  • Click Connect
  • Find your Cloud-issued key-pair on your disk and select it
  • Decrypt the VM’s Administrator password
  • Copy it (Ctrl-C) to your system’s clipboard
  • Download the RDP file and open it
  • Paste (Ctrl-V) the Administrator password when requested
  • Yay! You’re in!

A bit of a long process, isn’t it? Not to mention that the next time you need to connect to the same VM you’ll use the exact same Administrator password, so to shorten your to-do list next time you might even save the credentials in your system’s RDP credential storage.

And not only that. Several system administrators I’ve met in my career in IT security end up compiling a list of those VMs and their passwords (often saved in an Excel spreadsheet on their desktop). I will not insult your intelligence by explaining here why this is bad.

Furthermore, reusing the same password assumes you trust the entire communication end-to-end, and you are certain there is no possibility of a Man-in-the-middle (MITM) attack. History teaches us, though, that should anyone manage to sniff your credentials over the network (and yes, it isn’t as difficult as you love to believe) they will be able to RDP into your VM at a later time, and take control of it.

Recent examples like the LabCorp hack are proof if it. And RDP attacks are on the rise, as stated by both the FBI and the DHS.

This begs the question: is there a better and more secure way to use Remote Desktop, instead of dropping it completely? Is it possible to make it also easier to use while increasing its security?

Yes. Here at Xiid we have invented (and filed a patent for) a method to do just that.

Now, if you’re an Xiid user, when you deploy your new Windows VM in the Cloud, your newborn VM will recognize your Xiid SSO account and self-register into your Xiid SSO portal. Opening an RDP connection to your VM from inside your Xiid SSO portal is, therefore, a much easier experience than before:

  • Click on the VM you want to RDP to (inside your Xiid SSO portal)
  • Click the access mode/method you wish to use (ex: RDP)
  • Paste the One-time Password that’s already been placed in your clipboard when requested
  • You’re in!
Xiid’s SSO portal with a couple of cloud VMs accessible via RDP with OTP

And the best part is that the password you just pasted into your RDP client is a One-time Password (OTP) so, even in the unlikely event that a successful MITM attack lands it in the hands of a malicious hacker, that person will not be able to use it to take control of your VM later on.

But wait, it gets even better! We have also developed our own RDP Wrapper to make your experience even easier and safer. In fact, if you use Xiid’s own Wrapper, your experience becomes even more seamless:

  • Click on the VM you want to RDP to (inside your Xiid SSO portal)
  • Select the WRA (Xiid RDP Wrapper) access mode/method… click
  • You’re in!

But didn’t my mom teach me that a picture (or a video) is worth a thousand words? So, here we go:

RDP connection to a cloud VM, via SSO portal, authenticating to the VM using one-time password (OTP)

So, yes! Easy and straightforward Single Sign-on experience, with the added safety of One-time Passwords, without giving up the familiar Remote Desktop tool you’ve been using all along. It’s possible, it’s Xiid.

--

--

The Original DDT
Hybrid Security Superheroes

CTO of Xiid Corporation, ethical hacker, hardcore software designer and developer, serial entrepreneur.