How to ensure VDI user authentication security

The logon process for virtual desktops is very vulnerable to hackers, but it is possible to secure VDI user authentication with encryption and dual-factor authentication.

The logon process for virtual desktops is very vulnerable to hackers, but it is possible to secure VDI user authentication with encryption and dual-factor authentication.

Providing users with a physical PC means they need a PC to access the company's system. Used to be accessible only over the LAN. But over the past decade, it has become common for employees to work from home or work in places with Internet connections. VDI makes access to the Internet a simpler and more versatile way of working, but the internet is not a friendly place.

Protecting user credentials with encryption

First, there is a risk that observers watching the network can see the user name and password that you access to the VDI environment. If you can monitor the actual data, why do you want to guess the user and password? To protect the user credentials that are transmitted over the network, such as the Internet, make sure that the username and password are encrypted. Keep in mind that not all employees are friendly and not everyone in the network is your employee. View all networks as hostile, even in an office network.

The most common form of encryption is an SSL connection based on user certificates. One of the most critical factors in SSL is trust: Do you trust the issuer of the certificate? Building trust and allowing only users to accept trusted certificates is a key factor in securing passwords using SSL.

If SSL authentication is not used for very trustworthy sources, then you must allow the user to accept untrusted certificates. Even in the internal network, this is not a good idea. Be sure to deploy the trusted certificate and enforce that only encrypted trusted certificates are used to avoid the certificate and the data being tapped.

Secure Password

One of the key issues to understand is that passwords are not very secure. The statistical analysis of the password list indicates that a large part of the user's password is very simple, that is, the combination of letters and numbers. Although it does not take much work to compute a possible user name through the company's Web site, the user name may be more difficult to guess than the password. Cracking down on any application that can access the user name and password over the Internet does not take much time, even if the application can only be accessed through SSL.

A useful supplement to a password is the second encryption factor, either an unstable password or a physical tag. The life cycle of an unstable password is very short. The regular password may not expire for one months, and the unstable password may change every minute.

One example is the RSA key card, which generates a new six-digit number per minute. The user must enter the username and the newly generated password per minute to log on to the system. An unstable password that a hacker obtains through a network or peek must be used within a minute. Even so, the password can only be used by the hacker before the user uses the password, because the correct password is only accepted once.

A physical tag is a device similar to a smart card that must be plugged into a card reader on a VDI client device for access. Tokens are typically used with a user name, password, or PIN, so only tokens are not allowed to be accessed. This means that only stealing marks is of no use.

Another dual-factor authentication mechanism is to use the phone number as the second authentication factor, or to send a user an unstable password or to have the user dial a specific number at logon. The goal is to combine a username, password or PIN, telephone, RSA tag, and the smart card to allow the login system.

VDI is not inherently safe, and it's about how you implement the technology. Decent VDI products will provide end-to-end encryption and permit the use of dual-factor authentication. You should enable encryption regardless of where the user is logged on, whether or not there is an obvious attack risk, such as whether or not you are allowed to log on over the Internet, you should deploy two-factor authentication. Most VDI products can choose different identity authentication mechanisms based on the way users connect.