Multi-Factor Authentication for Amazon WorkSpaces #aws

Amazon WorkSpaces is a fully managed desktop computing service in the cloud. You can easily provision
and manage cloud-based desktops that can be accessed from laptops, iPads, Kindle Fire, and
Android tablets.

Today we are enhancing WorkSpaces with support for multi-factor authentication using an
RADIUS server. In plain English,
your WorkSpaces users will now be able to authenticate themselves using the same
mechanism that they already use for other forms of remote access to your
organization’s resources.

Once this new feature has been enabled and configured, WorkSpaces users will log in
by entering their Active Directory user name and password followed by an OTP (One-Time Passcode)
supplied by a hardware or a software token.

Important Details
This feature should work with any security provider that supports RADIUS authentication (we
have verified our implementation against the
Symantec VIP and
Radius Server
products). We currently support the PAP, CHAP,
MS-CHAP1, and MS-CHAP2 protocols, along with RADIUS proxies.

As a WorkSpaces administrator, you can configure this feature for
your users by entering the connection information (IP addresses,
shared secret, protocol, timeout, and retry count) for your RADIUS
server fleet in the Directories section of the
WorkSpaces console. You can provision multiple
RADIUS servers to increase availability if you’d like. In this case
you can enter the IP addresses of all of the servers or you can
enter the same information for a load balancer in front of the

On the Roadmap
As is the case with every part of , we plan to enhance this feature over time. Although
I’ll stick to our usual policy of not spilling any beans before their time, I can say that
we expect to add support for additional authentication options such as smart cards and
certificates. We are always interested in your feature requests; please feel free to
post a note to the
Amazon WorkSpaces Forum to make sure that we see them.
You can also consult the Amazon WorkSpaces
for more information about Amazon WorkSpaces and this new feature.

Price & Availability
This feature is available now at no extra charge to Amazon WorkSpaces and you can start using it today.


PS – Last month we made a couple of enhancements to WorkSpaces that will improve integration with your
on-premises Active Directory. You can now search for and select the desired Organizational Unit (OU) from your
Active Directory. You can now use separate domains for your users and your resources; this improves both
security and manageability. You can also add a security group that is effective within the VPC associated
with your WorkSpaces desktops; this allows you to control network access from WorkSpaces to other
resources in your VPC and on-premises network. To learn more, read this
forum post.

Related posts