VMware Horizon

Improving Identity Assurance with Strong Authentication

By Archit Lohokare, Product Marketing, End-User Computing, VMware

With the advent of cloud computing and workforce mobility, stronger identity assurance has become a top priority for enterprise IT and security teams worldwide. Enterprise users and customers alike can now access services and data delivered from an enterprise’s private, public or hybrid cloud through a variety of mobile endpoints.  “Anytime-anywhere” access of applications, services and data, however, can expose an enterprise’s critical IT and data assets to malicious attacks. Evernote, for instance, recently had to reset all their 50 million users’ passwords because it detected and blocked suspicious activity on the Evernote network, and resetting user passwords was the only way to ensure that none of this data was compromised.

Organizations can and should mitigate password breaches by implementing stronger identity assurance controls (e.g., strong authentication). At VMware, we recognize the significance of having multifactor authentication built into our products. Multifactor authentication refers to the concept of using two or more forms of authentication for improved identity assurance.

The three most common forms of authentication out there today are:

  • Something you know (password, passphrase, etc.)
  • Something you have (USB key, hardware token, mobile phone, etc.)
  • Something you are (fingerprint, iris scan, voiceprint, etc.)

Horizon Workspace leverages multifactor authentication by providing built-in location-aware integration with RSA SecurID. For those of you who are new to Horizon Workspace—Horizon Workspace provides an easy way to access desktops, applications and files on any device, while enabling IT to centrally deliver, manage, and secure these assets. Horizon Workspace’s location-aware integration with SecurID allows an end user to log in using a one-time password (OTP) along with their username and password (when they log in from an insecure network). If, on the other hand, an end user attempts to log in from a secure local network, Horizon Workspace will ask for only the end user’s directory (AD) username and password.


The above illustration shows a user who attempts to log in from an insecure network. This user will ultimately have to go through the following process:

  1. The end user navigates to the organization’s Horizon Workspace home page in a browser.
  2. The home page requests a username from the user, and shows an RSA passcode request page once the user enters the correct username.
  3. The end user launches the RSA SecurID app and enters the RSA PIN.
  4. The app verifies the PIN and generates a unique one-time passcode.
  5. The user then enters this passcode and signs in.
  6. The user is successfully authenticated and is shown their Horizon Workspace homepage.

Because Horizon Workspace aggregates and provides users with single sign-on to their cloud and on-premise apps, data, and Horizon View desktops, this location-aware two-factor authentication policy protects access to corporate assets.

What’s more, Horizon Workspace lets an administrator configure these location-aware policies through an intuitive user interface. This UI lets an administrator define which range of IP addresses require basic username and password authentication, and which ones require advanced authentication (like Kerberos, RSA SecurID, etc.).

In essence, VMware’s approach lets a customer leverage their existing investment in RSA SecurID software or hardware tokens, and reduce the TCO for strong authentication. Additionally, this integration takes very little effort to implement and configure, providing a very fast ramp-up to value for the customer. To learn more about VMware Horizon Workspace and how you can better secure access to applications, data, and desktops, check out our whitepaper, VMware Horizon Workspace Security Features.