It is very important to activate MFA (Multi-factor authentication) using applications such as Google Authenticator on corporate services exposed on the internet that require access using credentials.
If we talk about VMware Workspace One Access, a solution that allows us to publish applications and business services on the internet, it is mandatory to activate the MFA.
Since Workspace One Access version 22.09, you can use Authentication Applications such as Microsoft or Google.
Enabling MFA requires a few steps:
- Enable the “Authenticator APP” authentication method on Workspace One Access
- Ask the end user to install the APP on their phone or the company one (possibly we can use services that allow us to enrol automatically)
- At the first access, the user will have to scan the QRcode that appears on the login page of Workspace One Access (in my case we try the access via WEB to workspace one access)
Enable the “Authenticator APP” authentication method on Workspace One Access
Access the Integration menu, select Authentication Methods, enable Authenticator App and select Configure.
![Graphical user interface, text, application, email
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-text-application-email.png)
We enable and possibly can change any classic account lock parameters etc …
![Graphical user interface, text, application, email
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-text-application-email-1.png)
At this point, we go to integrations, select identity provider and select our IDP related to the integration with AD
![Graphical user interface, text, application, email
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-text-application-email-2.png)
In the Authentication Methods menu select Authenticator APP
![Graphical user interface, text, email
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-text-email-description.png)
At this point, we just need to go and modify the policy used by our users by adding MFA for authentication
We go to the Resources, policies menu, select our policy and modify it
![Graphical user interface, text, application, email
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-text-application-email-3.png)
![Graphical user interface, text, application, email
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-text-application-email-4.png)
We select the rule of our interest (normally we select the one relating to access from public networks because we could reason that those who access from the company network have already done other methods of secure authentication …)
![Graphical user interface, text, application, email
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-text-application-email-5.png)
In the authentication methods used, we add the authenticator app
![Graphical user interface, text
Description automatically generated with medium confidence](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-text-description-automa-6.png)
![Graphical user interface, text, application, email
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-text-application-email-6.png)
From now on, all users who log in to workspace one access and run with the rule we have modified we have the following user experience at the first login:
User experience at login
Go to WorkSpace One Access public URL.
If prompted, they will have to select the domain.
![Graphical user interface, application
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-application-description.png)
Then they will have to enter username and password
![Graphical user interface, application
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-application-description-1.png)
Finally, they will have a QRcode that they will have to use to configure their Authenticator APP (Microsoft or Google). So, in the selected phone app they will have to add an account by reading the QRCODE
![Qr code
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/qr-code-description-automatically-generated.png)
We access our smartphone and launch the authentication application that we will use (in my case I launch Google Authenticator)
![Icon
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/icon-description-automatically-generated.png)
We add the new account
![Graphical user interface, text, application
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-text-application-descr-9.png)
We select the option to scan a QRCODE and scan it ![](https://vmvirtual.blog/wp-content/uploads/2023/04/word-image-866-15.png)
Enter the passcode generated after scanning the QRCODE in the space provided under the QRcode code on the page WEB
![Qr code
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/qr-code-description-automatically-generated-1.png)
We will now have an account named WSA (Woekspace One:WSA) linked to our authenticator app
![Graphical user interface, text, application
Description automatically generated](https://vmvirtual.blog/wp-content/uploads/2023/04/graphical-user-interface-text-application-descr-10.png)
From the next login after entering your username and password you will be asked for the access code generated by the user application