CAC/PIV smart cards, YubiKey and more. Insider Tips on how IGEL OS use both. 

Windows 365 access with YubiKeys? Do you use Windows 365 and/or AVD? Transitioning from CAC/PIV smart cards to YubiKey (or other security keys) with CAC/PIV functionality, or mixing both? IGEL OS can use security keys with CAC/PIV, here is how it is done!

What is PIV? PIV is an acronym for ‘Personal Identity Verification’ – which is a US federal government-wide credential. IGEL do support PIV.
What is CAC? CAC is an acronym for ‘Common Access Card’ – Is a standard identification for US defense personell. IGEL supports CAC.
Both PIV and CAC = certificates that validate an identity. Certificates also exist in non-US government environments, like healthcare, government etc. outside of the US – this article apply to all of certificate-based identification scenarios. Throughout this blog I will name everything PIV (as the function YubiKey is named PIV – to store a user identity certificate)

Security keys are becoming more and more popular, and using security keys in remote sessions is crucial. IGEL OS does, through its browsers support Fido2, but when it comes to access of Azure Virtual Desktop and Windows 365 we are waiting for the Fido2 auth support. While waiting, there is another way to use your security keys. Looking at YubiKey, these security keys have a PIV slot, which means that you can install a certificate on the YubiKey and use the certificate on the security key for strong and rapid authentication.

Technically, the YubiKey replaces the smart card, with the benefits of increasing the access performance. Using a YubiKey instead of a common smart card will give definite speed improvements, just by the architecture of the YubiKey, which has a much higher IO rate compared to regular smart cards. Where speed is of essence, YubiKeys are here to help!

The drawback in my view of security keys vs smartcards is the user intervention while inserting and removing the component. It is just more cumbersome to insert a USB stick that doesn’t fit in one way (USB-A variant), this of course gets easier with the USB-C version of YubiKeys. Of course, I’m talking about the roaming user concept.
If you have the benefit of having One User – One device, and can leave the YubiKey in the port, makes it much easier.
Smart cards on the other hand, is usually very easy to insert and remove based on its formfactor.

When using YubiKey PIV, the stick presents itself as a smart card, when inserted in the IGEL OS device, which also means that we can utilize the smartcard watch daemon, which monitors insert and removal actions and allow you to script what should happen when a smart card is inserted or removed.

As you probably understand by now, you can mix users with smart cards and users with PIV security keys, as IGEL OS treats the components equal. this makes it easy for you while transitioning from smart cards to security keys, or just want to have a mix.

To configure IGEL OS to use your security key as a PIV device no additional configuration is needed above what’s explained in this article: https://www.igel.com/blog/authentication-to-windows-365-with-igel-smart-card/

IGEL OS is not specifically tied to Windows 365. If you are using Azure Virtual Desktop (AVD) and Windows 365, or maybe even only AVD, this configuration applies to both environments. You do not need to use Windows 365 specifically.

As a summary, you now know that IGEL OS will enable you to use certificate-based identification to Windows 365 and/or AVD, it might be that you want to streamline the authentication speeds, your are using a mix of security keys and smart cards, or you want to increase the authentication strength for your users accessing your cloud (or local using AVD on Azure Local) desktops.

Let’s have a look att the user experience when logging in to Windows 365 using YubiKey PIV. This is the first Youtube, the second video is using the Yubikey PIV to login to Azure Virtual Desktop:

Hope you found this useful!

/Fred

Stay tuned to the upcoming blogs on Insider Tips with Fred Brattstig.

IT leaders, innovators and security experts will converge at IGEL Now & Next in Miami in March to show the latest solutions and synergies to optimize endpoint management, enhance security, and improve clinical workflows. Click Register Now to view the agenda and keynote speakers.