I want to activate multi-factor authentication (MFA) for my Amazon WorkSpaces Personal client.
Resolution
To use the MFA capabilities in your identity provider (idP), integrate SAML 2.0 with WorkSpaces Personal. If you have an idP, then it's a best practice to use SAML 2.0 authentication.
If you can't use an idP, then use the AWS Directory Service console to activate MFA.
Configure your on-premises or cloud-based RADIUS
Before you activate MFA, you must first set up a Remote Authentication Dial-In User Service (RADIUS). Allow inbound traffic from the RADIUS server IP address on UDP port 1812 for AWS Directory Service for Microsoft Active Directory or AD Connector security groups. Also, allow traffic from your AWS Directory Service to your RADIUS server.
Set up a shared secret code that the RADIUS server users use to connect to AWS Managed Microsoft AD or AD Connector. And identify the protocol that your RADIUS server uses, such as PAP, CHAP, MS-CHAPv1, or MS-CHAPv2.
For more information, see Multi-factor authentication prerequisites for AWS Managed Microsoft AD and Multi-factor authentication prerequisites for AD Connector.
Activate MFA
To activate MFA, see Activate multi-factor authentication for AWS Managed Microsoft AD and Activate multi-factor authentication for AD Connector.
Related information
AWS Managed Microsoft AD prerequisites
AD Connector prerequisites
Why is MFA failing on my AWS Managed Microsoft AD directory or my AD Connector?