Take control of virtual desktop access with two-factor authentication

Put two-factor authentication to work

To protect virtual desktop access, VDI shops can consider a one-time password that changes, and there are a lot of different ways to do that. Each method relies on users having a second authentication factor in their hands. The first factor is the traditional username/password combination. The second factor is something else they have -- a token, card or biometric measure. This two-factor authentication is sometimes referred to as 2FA.

The answer is not to rely on just usernames and static passwords.

The venerable RSA SecurID token is the most widely known second factor. It is a small fob that generates a new pseudo-random number every minute. To log in, users must enter their usernames and passwords as well as a given minute's token code. Because the code changes every minute, users can shout the code across a crowded room if they really want to with very little risk. Although RSA's token fobs are the most well-known options, other companies offer similar physical 2FA tokens. RSA also has a software version of its SecurID token, eliminating the need for a physical token.

The other common second factor is the device itself, whether the company issued it or the user owns the device. Users are far less likely to lose their smartphones or leave them behind than they are with a security token. There are a variety of other two-factor options, such as Google Authenticator, that use smartphones. All these applications have a server component that communicates with a company's VDI broker to authenticate and deliver virtual desktops to users.

Of course not every phone is a smartphone. A common option for banks looking to secure access to online banking is SMS-based 2FA. A user simply registers her phone number, and when she wants to log in, the bank sends her a text message with a code as her one-time password.

How to apply 2FA to virtual desktop access

The traditional method to add two-factor authentication to a VDI deployment is to install the authentication server software on a couple of machines in the data center. Then configure the VDI broker to use those machines for authentication.

But why would VDI shops need to build and manage their own authentication servers, especially if they use desktop as a service? Many of the newer two-factor authentication systems are available as a service. Rather than installing their own authentication server they simply point to a service on an authentication provider.

Using a service provider frees the VDI shop from maintaining and securing the authentication service. It also removes any need for upfront purchases, allowing a per user per month, Opex, cost model. To use these services, VDI admins simply configure their VDI broker to use the service from the internet rather than an on-premises server.

Most VDI products support the RADIUS protocol for two-factor authentication. This standard is all the 2FA service needs to provide. Admins usually do not need to install an agent on premises. Instead they can just enable an outbound connection to the service.

If users can gain virtual desktop access through an internet browser, they should use two-factor authentication. Because entering two passwords to log in is more effort than just one, look at a single sign-on product as well. Once users sign on, they gain access to as many resources as possible without needing to sign on again.