The login process for virtual desktops is especially vulnerable to hackers, but you can keep VDI user credentials secure through encryption and two-factor authentication.
Providing users with a physical PC means that they need that PC to access the company systems. This used to mean access only from the LAN, but over the last ten years it has become common for staff to work from home, or from anywhere with an Internet connection. VDI makes access from the Internet a much easier and more common way of working, but the Internet is not a friendly place.
Protecting user credentials with encryption
First off, there is a risk that an observer watching the network could see the username and password that your users enter to access the VDI environment. Why guess a username and password when you can simply listen for real ones? To help protect credentials in transit over a hostile network like the Internet, make sure the username and password are encrypted. Remember that not all of your staff are friendly people and not all of the people on your network are your staff. It is a good idea to treat every network as hostile, even the one in your office.
The most common form of encryption is a Secure Sockets Layer (SSL) connection, which is based on the use of certificates. One of the key elements of SSL is trust: Do you trust the issuer of this certificate? Establishing this trust and teaching users to only accept trusted certificates is a key part of securing passwords with SSL.
If you do not use SSL certificates from a well-trusted source, then you may have to teach users to accept untrusted certificates. Even on your internal network, this is a bad idea. Deploy trusted certificates and enforce encrypted access only using trusted certificates to avoid eavesdropping of credentials and data.
One key thing to understand is that passwords are not very secure. Statistical analysis of password lists reveals that a large proportion of user passwords are a few simple words, or number and letter combinations. Usernames might be harder to guess than the passwords that go with them, although it doesn't take a lot of research to work out likely usernames from your company's website. Any application that is accessible on the Internet with only a username and password to control access won't take a lot of effort to compromise, even if it is only accessible over SSL.
A great supplement to passwords is a second authentication factor, either a volatile password or a physical token. A volatile password is one that has a short life. Rather than expiring every month like a normal password, a volatile password is changed every minute.
More on VDI security
Guide to virtual desktop security
How VDI can improve enterprise security
Security benefits of virtual desktops
One example is a RSA key fob, which generates a new six digit number every minute. The user must enter their username and this minute's password to gain access. An attacker that observes a volatile password, either on the network or by looking over your shoulder, must use the password within one minute. Even then, it would only give them access if they use the password before the user himself, since the correct password will only be accepted once.
Physical tokens are devices such as smart cards, where the card must be inserted into a reader on the VDI client device to allow access. Tokens usually work with a username and password or PIN, so a token alone doesn't allow access. That means that a stolen token is valueless by itself.
Other two-factor authentication mechanisms use a phone number as the second factor, either by sending the user a volatile password or by having them phone a specific number while logging on. The aim is to have a combination of something you are (username), something you know (password or PIN) and something you physically have (phone, RSA token, smart card) in order to log you on.
VDI is not inherently secure or insecure; it is all about how you implement the technology. Any decent VDI product will provided end-to-end encryption as well as allowing the use of two-factor authentication. You should enable encryption anywhere users are logging on, and implement two-factor authentication wherever there is a significant risk of attack, such as where login is allowed over the Internet. Most VDI products allow for different authentication based on where the user connects from.