Instead of users authenticating to RS with passwords, it would be better to allow users and/or the server admin to configure (and require use of) public/private keypairs. This removes the need for both server and client (2 separate security surface areas) to have the password stored; in a key-based configuration, only the client needs to keep the private key.
Further. it would be nice if a keyword could be set on client+server for connection obfuscation, an additional layer of security.
Since RS uses Windows accounts for authentication, there is currently no straightforward way to do this. The obvious solution is implementation of virtual accounts (in a RS database) which could be used to authenticate to
RS; then users could optionally use Windows accounts to login
to the underlying server via RDP, etc.
Also would be good to have an option to connect virtual accounts with Windows accounts so authentication is seamless and automated.