The Horizon DaaS portal and VDI do support a few different methods of 2FA authentication via a third-party service such as Okta, DUO, or other authentication provider.

The Horizon DaaS portal can be configured to use any RADIUS based 2FA service, many providers provide a RADIUS proxy or have direct RADIUS support. This can be configured in the Horizon DaaS Admin portal under 'Settings' and then '2 Factor Auth'.

The environment also supports 'RSA SecurID', assistance with setting this up is done on a case-by-case basis.

Other 2FA Methods

If you do not want to enable 2FA for the Admin portal or the authentication service you're using does not support the use of RADIUS for authentication then you can make use of Windows based 2FA via the use of a physical key or 2FA software.

This does vary based on the service, but generally speaking if the service supports 2FA for RDP then it will work with the Horizon Client.

Using DUO Security as an example it has a client that can be installed into the Gold Image, and then when a user connects to the VDI via the Horizon Client it brings up a window prompting to complete 2FA prior to being allowed into Windows. If the user fails 2FA or it times out the session is disconnected.