BACKGROUND IMAGE: stock.adobe.com
IT pros can use two-factor authentication for VDI to provide an additional security layer that can identify end users -- but they need to use it correctly.
VDI allows IT to tightly control potentially sensitive data and enables end users to log in and consume that data from virtually anywhere. Depending on the configuration, however, administrators could expose more data than they should.
Two-factor authentication (2FA) in VMware Horizon View is an easy-to-use feature that can help prevent security breaches. A 2FA authentication system can deny bad logons due to lost passwords. The attacker may have one factor -- the password -- but not have the second factor -- a time-sensitive code.
How to set up 2FA
Horizon View supports a variety of 2FA systems out of the box, including RSA SecurID, Smart Cards and RADIUS.
Depending on how IT configures the authentication system, two-factor authentication in Horizon View can support any major RSA-supported authentication device, such as Google Authenticator. This allows an organization to retain control of their infrastructure without having to distribute hard tokens and the issues that come with it.
IT can also provide end users a portal to obtain 2FA authentication. This may sound insecure, but the authentication system only allows end users to log in if they fall within certain IP ranges -- for example, those inside the VPN or with trusted IP addresses.
IT does not have to require all end users to use 2FA. Instead, IT can group end users together and use tagging to restrict and manage users' access to the environment.
This can provide a lot of flexibility with trusted versus non-trusted or less trusted individuals and reduce the costs of licenses and 2FA consumption. It also reduces the complexity of managing a distributed 2FA system and the tokens.
End users that are required to authenticate with 2FA, however, will have to log in to the 2FA website and obtain the second factor to use their VDI instance.
Configure two-factor authentication in Horizon View
IT admins must turn on 2FA in Horizon View to use it. Within Horizon View, the setup and configuration is extremely straightforward.
IT pros should deploy 2FA carefully into their VDI. First, IT should ensure that the RSA tokens are working correctly on Windows before attempting to implement them.
Other issues can occur. For example, there is often insufficient time for end users to apply codes before they time out. In these cases, IT can increase the time out sessions.