FIDO2 Authentication to Azure Virtual Desktop and Windows 365

During IGEL Now & Next, IGEL CTO Matthias Haas announced the FIDO2 authentication for Azure Virtual Desktop and Windows 365 is coming soon!

For my fellow tech enthusiasts, this blog offers my insights into this solution.

FIDO2 authentication is frequently asked for and can be seen as an evolution or replacement for the ‘legacy’ smart card secure authentication. FIDO2 improves authentication speeds, and the security sticks are in a user-friendly format.

Connecting to AVD and W365

Connecting to AVD and W365 is a three-step process (simplified), first you authenticate to EntraID web pages, then you authenticate to the Azure Gateways, and finally you Authenticate to the VM you want to remote. With the previous versions of the Microsoft RDClientSDK, the three steps were only possible using credential stuffing – capturing the username and password from the user, and then in a secure manner provide the captured credentials in the connection process.

A Game Changer

To enable FIDO2 authentication, IGEL implemented support for RDSAADAUTH enabled in the RDClientSDK. Simplified, it gives the user the possibility to Authenticate to EntraID, to retrieve a token, RDSAADAUTH then takes this token and presents it to the Azure Gateways and the VM. This is the preferred way of modern Entra Authentication. RDClientSDK version 3, which is the foundation of the IGEL AVD App 1.3.x where the 3 stands for the SDK version that the App is based on gave IGEL access to Microsoft Authentication Library (MSAL) and RDSAADAUTH.

When IGEL built out the configuration to benefit from RDSAADAUTH, the next step was to build the FIDO2 integration. When a user has Security Key authentication method enabled, and Entra calls for a security pin and to prove presence, we needed to add a code to catch that event and provide what Entra requires.
Watch the demo video.

Stay tune to IGEL for the IGEL AVD App 1.3.2 on IGEL App Portal in the next weeks.

More Choice for Users

IGEL will now be able to provide you a choice to access your AVD or Windows365 workloads using the following authentication methods:

• Username/Password + MFA
• Certificate Based Authentication using smart cards
• Certificate Based Authentication using YubiKey PIV
• FIDO2 authentication
• Imprivata Tap-and–Go

That with the many options of customizing the user interface, everything from a clean Kiosk interface ‘Boot to AVD/Windows365’ providing a very simple access stations, to any type of desktop integration, and customization of the user experience with customized graphics, IGEL address any use case so you are not locking yourself into one single service.

I hope you found this useful!

/Fred

Stay tuned to the upcoming blogs on Tips & Tricks with Fred Brattstig.

Related Blogs

For the smart card authentication, MSAL was the key, as it embeds the smart card authentication.
Read the PIV Blog CAC/PIV smart cards, YubiKey and more. Insider Tips on how IGEL OS use both 

I have been playing with specifically YubiKeys, and they come in multiple variants, where I like the YubiKey 5c Nano, in the one user – one device. But for the multi-user – one device I like the YubiKey 5 and 5c better (comes with either USB-A or USB-C interface).