Amazon Web Services says the multi-factor authentication just added to WorkSpaces is the first in a series of security developments for its managed-desktop-in-the-cloud service.
The authentication that AWS announced this week takes place on an on-premise server using the RADIUS networking protocol. It will allow users to log in with their Active Directory user name and password, followed by an one-time passcode supplied by a hardware or a software token, the company said.
"Your WorkSpaces users will now be able to authenticate themselves using the same mechanism that they already use for other forms of remote access to your organisation's resources," AWS chief evangelist Jeff Barr said in a blogpost.
WorkSpaces enables companies to provision and manage cloud-based desktops that can be accessed from laptops, iPads, Kindle Fire, and Android tablets, according to AWS.
The new multi-factor authentication feature should work with any security provider that supports RADIUS authentication.
Barr said AWS had already verified its implementation against the Symantec VIP and Microsoft RADIUS Server products. It supports the PAP, CHAP, MS-CHAP1, and MS-CHAP2 protocols, along with RADIUS proxies.
"As a WorkSpaces administrator, you can configure this feature for your users by entering the connection information — IP addresses, shared secret, protocol, timeout, and retry count — for your RADIUS server fleet in the Directories section of the WorkSpaces console," Barr said.
"You can provision multiple RADIUS servers to increase availability if you like. In this case you can enter the IP addresses of all the servers or you can enter the same information for a load balancer in front of the fleet."
Barr said AWS plans to enhance WorkSpaces multi-factor authentication, which is available now at no extra charge, although he declined to spill "any beans before their time".
"I can say that we expect to add support for additional authentication options such as smart cards and certificates," he said.
AWS last month added features to improve integration with on-premises Active Directory. The features include the ability to search for and select the desired Organizational Unit from Active Directory, along with the use of separate domains for users and resources, improving security and manageability.
"You can also add a security group that is effective within the VPC associated with your WorkSpaces desktops; this allows you to control network access from WorkSpaces to other resources in your VPC and on-premises network," Barr said.