MFA Prerequisites for AWS Workspaces

MFA Prerequisites

Prev Question Next Question

Question

Which of the following is a key pre-requisite required to ensure MFA can be used along with AWS Workspaces.

Answers

A. A RADIUS Server deployed in the on-premise environment

B. An MFA Server deployed in the on-premise environment

C. An MFA Server deployed in AWS

D. An MFA Server deployed in AWS and in the on-premise environment.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

To enable MFA for AWS services such as Amazon WorkSpaces and QuickSight, a key requirement is an MFA solution that is a Remote Authentication Dial-In User Service (RADIUS) server or a plugin to a RADIUS server already implemented in your on-premises infrastructure.

RADIUS is an industry-standard client/server protocol that provides authentication, authorization, and accounting management to enable users to connect network services.

For more information on enabling MFA for AWS Workspaces, please refer to below URL:

https://aws.amazon.com/blogs/security/how-to-enable-multi-factor-authentication-for-amazon-workspaces-and-amazon-quicksight-by-using-microsoft-ad-and-on-premises-credentials/

Multi-factor authentication (MFA) adds an extra layer of security to the login process, making it more difficult for attackers to gain access to sensitive information. AWS Workspaces is a cloud-based virtual desktop infrastructure (VDI) service that allows users to access their desktop environment from anywhere.

To enable MFA with AWS Workspaces, the following key pre-requisite must be fulfilled:

Option D. An MFA Server deployed in AWS and in the on-premise environment.

Explanation:

AWS Workspaces supports MFA using a time-based one-time password (TOTP) device or SMS text messages. To use MFA with AWS Workspaces, you need to deploy an MFA server that can integrate with AWS Identity and Access Management (IAM) and provide authentication services for Workspaces users. This MFA server must be deployed both in AWS and in the on-premise environment.

The MFA server deployed in AWS can be Amazon SNS (Simple Notification Service), which supports SMS-based authentication, or AWS MFA, which generates TOTP tokens.

The MFA server deployed on-premise can be any server that supports RADIUS (Remote Authentication Dial-In User Service), such as Microsoft NPS (Network Policy Server) or FreeRADIUS. The on-premise MFA server must be configured to communicate with AWS MFA or SNS, depending on the authentication method chosen.

Once both the MFA servers are set up and configured, Workspaces users can be required to provide a second factor of authentication in addition to their password when logging in. They will be prompted to enter the TOTP code or respond to the SMS message to complete the login process.

Option A, A RADIUS server deployed in the on-premise environment, is not sufficient as it only provides the on-premise MFA server but not the MFA server in AWS.

Option B, An MFA server deployed in the on-premise environment, is not sufficient as it only provides the on-premise MFA server but not the MFA server in AWS.

Option C, An MFA server deployed in AWS, is not sufficient as it only provides the MFA server in AWS but not the on-premise MFA server.

Prev Question Next Question