How a 2FA bypass incident can occur in real life.

Rohos Logon Key software includes built-in safeguards to prevent bypassing two-factor authentication (2FA). This may occur when a Windows desktop session is initiated by a 2FA-enabled user account, but the 2FA credentials have not been collected by Rohos.

During the latest support incident, we observed that Rohos’ “2FA bypass control” triggered the screen lock procedure each time after the user logged in. Finally, it was identified that 3-rd party software, which installed a Credential proxy DLL ( to filter all user login sessions), implicitly disabled Rohos two-factor authentication control. However, due to the “2FA bypass control” feature, the automated session lock was initiated each time a user logged in using a plain password login.

The service ADSelfService Plus Client Software\ADSSPProvider64.dll, with GUID {B80B099C-62EA-43CD-9540-3DD26AF3B2B0}, has been identified as the root cause of the issue. The service installation re-enabled the conventional password-based single-factor login field (icon) on the Windows login screen. This, in turn, allowed any employee to use a standard password-based credential icon on the login screen, rather than the one-time password login 2FA method provided by Rohos Logon Key.

To correct the issue, the customer was recommended to add 3rd third-party service GUID to the exclusion list at the Options – More… dialog box, as highlighted in the screenshot below.

  Read More about how Rohos Logon 2FA-information feedback-loop control works in Rohos built-in safeguards to prevent 2FA / MFA bypass attacks>>