Token MFA for AWS Workspaces

gjohnson4 · ‎02-15-2023

For security reasons, we want hardware tokens to be used to connect to AWS Workspaces instead of DUO mobile.

We currently have a RADIUS server in place and configured Amazon Workspaces MFA to use Duo. However, when logging into workspaces we cannot connect using Duo hardware token to authenticate the user but this works fine with Duo mobile

Can anyone advise on this

raphka · ‎02-19-2023

Hi gjohnson,

Hardware tokens either Duo Branded, or generic HOTP/TOTP should indeed work with the AWS Duo integration documented below:

First the tokens will need to be associated with users.

I would recommend ensuring the hardware token authentication method is also enabled in your policies to ensure the token method is actually allowed:

Duo Mobile generated passcodes and Duo Hardware Token passcodes are HOTP codes.
They do not require to be manually refreshed.
If they are manually refreshed too often they can become out of sync causing failed authentications and may need to be resynced.

Please see the article below for further details on resyncing HOTP passcodes for Duo Mobile or a hardware token:
https://help.duo.com/s/article/2240

If the issue persists, I recommend you reach out to Duo Support for assistance and be sure to follow through the steps and provide the Support Tool output as per the article below:
https://help.duo.com/s/article/7680

gjohnson4 · ‎03-01-2023

Hi raphka,

Thanks for getting back to me

The authentication issue I’m experiencing is specific to AWS Workspaces

The policy and control Administration has Hardware tokens enabled so ideally the registered Digipass Go 6 token should work