Protect Amazon WorkSpaces with multi-factor authentication

Rohos Logon Key v3.9 provides an effective and platform independent means of Multi-factor Authentication for your Amazon WorkSpaces desktops. You can protect access to AWS Windows desktops with Google Authentication OTP codes or Yubikey OTP codes. This greatly increase security, brings compliance with HIPPA, PCI-DSS or works as a password replacement technology.

Amazon WorkSpaces is a managed and secure Windows desktop service in AWS cloud. You can provision Windows 10 or Windows Terminal Servers in just a few minutes and quickly scale to provide multiple of desktops to workers across the globe. By default access is protected by two step authentication: AWS password and Windows password.

How to setup strong two-factor authentication control for WorkSpaces computer

1. Install Rohos Logon Key on a cloud Windows:

Download Rohos Logon Key 15-day trial>

Open Rohos Logon Key – Click Options > More…

Copy/Paste this value: {003D4E42-9B59-4818-9352-17B3F5D4ACAF}

into “Disabled Cred Prov.” field as shown in the screenshot below. Click OK.


The value {003D4E42-9B59-4818-9352-17B3F5D4ACAF} represents the Amazon provided authentication component pcoip_credential_provider.dll which is pre-installed on a cloud Windows. This authentication component implements a pass-through single factor password based authentication into Windows hosted by AWS CloudSpaces. It receives Windows password from Amazon WorkSpaces application and pass it to Windows logon screen.
In Order to prevent Single Factor authentication Rohos needs to filter-out it from logon screen.

Also in Options you need to select “For listed users” option.

Now strong MFA controls is enabled and you can continue to setup additional Authentication factors: Google Authenticator or Yubkey device.

How to setup Google Authenticator or Yubikey OTP for WorkSpaces

To setup Google Authenticator:

  1. Open Rohos Logon Key > Setup OTP.
  2. choose desired user account and select Google Authenticator.
  3. Click on display QR code – to scan configuration code with Google Authenticator application installed in your smartphone.
  4. Click Enable OTP login. Done!


To setup Yubikey in default 44 bytes OTP mode:

  1. Open Rohos Logon Key > Setup authentication device.
  2. Choose Yubikey device type.
  3. Click Gear to open Yubikey options and check “Verify OTP on yubico servers”.
  4. Optionally you may enter user Windows password – to enable password replacement method.
  5. Click Setup The Key. Done!


Rohos Logon Key licensing is lifetime (perpetual), price is one time payment. You can use the product forever. Minor updates are free (3.*) . Major updates are optional and cost 40% from the original license price. A Windows hosted in AWS WorkSpaces considered as a computer and require a separate license each. If you host Windows Server version then you need Rohos Logon Key Server license. Support by email is always free.

About Rohos Logon Key software

Rohos replaces password based Windows login with a security key or adds strong two-factor authentication policy. Multi-factor Authentication decision framework allows to combine Passwords, PIN codes, Smartphones as well as strong authentication devices like U2F FIDO keys, Yubikey, Google Authenticator one-time codes, SafeNet iKey tokens or RFID cards. With Rohos you can protect standalone computers, Terminal Servers remote desktop and Active Directory workstations as well.

You can download 15-day trial>

Get your copy of Rohos Logon Key>

View complete list of supported authentication methods for Windows logon>