RDP (Remote Desktop Protocol) is one of the most used technologies for access to server based applications or desktops and to enable remote user access. This secure network communications protocol was developed by Microsoft.

Unfortunately, using RDP in its simplest forms is a huge security risk. The UK NCSC (National Cyber Security Centre) has identified unprotected RDP to be the #1 reason for ransomware attacks. And these antics take can take place really, really fast when just using passwords without any more security measurements…

A “honeypot” experiment from Unit 42 in the summer of 2021 found that 80% (!) of its unprotected RDP setups was hacked within 24 hours. Ouch. And these attacks are not isolated: on average, the honeypot RDP environments are attacked every 11 hours.

It’s clear that the need to create more security measurements is high, without complicating the settings for admins and the login experience for end users.

One of the recommendations to protect the RDP environment from getting hacked and guarantee maximum security is to add multi factor authentication (MFA). Note that this is one of but far from the only recommendation. However, it is one that should be in fact in every company’s global policy.

Multi factor authentication is a secure authentication method that, instead of just asking for a username and a password, requires the users to provide more verification factors. Only then the users can login and get access to the resources they want to use.

An example is using something you know (password) and something you have (one time passcode generated in an authentication application on your mobile phone) to login. Another verification could be using something you ‘are’, like your fingerprint or face.

In the case of multi factor authentication the users need to verify themselves with credentials from at least two or more of three different factors, whereas we speak of two factor authentication (2FA) when the users need only two credentials.

We can only emphasize that it’s really important to have at least two factor authentication configured, as only using passwords can make your company network vulnerable.

You‘d think the fact that many businesses are not using multi factor authentication as an extra layer on top of the RDP today is because there is a lack of solutions. However, the opposite is true: the number of options in the MFA space to secure your access are as plenty as there are fish in the ocean. At Awingu, we also provided built-in two factor authentication capabilities as part of the product since day 1.

The purpose of this post is to bring some structure into your mfa solution options. We’ll add some specific vendor solutions, but keep in mind that there are many players in this domain. Rather than comparing vendors, we will take a look into the architecture, the complexity of setup and the cost elements in play.

We’re not making any analysis (or judgement) on which MFA token generation is better than other in this blog: e.g. is SMS as a token as secure as a time-based token generated on a phone?, etc.

On the highest level, multi factor authentication can be added on top of RDP by using:

1. A multi factor authentication vendor/product such as Duo Security, OKTA MFA, … and many more;

2. Using an external Identity Provider (IdP) and the MFA services linked to this IdP. Specifically we look at Microsoft’s Azure Active Directory and the linked Azure MFA service;

3. Using a VPN (let’s assume with an MFA-based authentication) before enabling access to the RDP service. It would still be best practice to add at least two factor authentication on top of the remote desktop connection additionally;

4. Certificate-based authentication where the certificate sort-of takes the role of the second factor;

5. Awingu, a browser based remote access solution that makes RDP-based apps/desktops available in HTML5 (on any browser). Awingu comes built-in with MFA options and enables combinations with (1) third-party multi factor authentication products and (2) Identity Providers (IdP).