Tuesday, August 6, 2019

Using FIDO2 security keys with Windows Virtual Desktop!

A couple of weeks ago Microsoft introduced the public preview of FIDO2 security keys support in Azure Active Directory. More info on that announcement here:
Announcing the public preview of Azure AD support for FIDO2-based passwordless sign-in

Since Windows Virtual Desktop is based on Azure Active Directory for authentication, FIDO2 security keys can also be used to secure applications and desktops hosted on Windows Virtual Desktop (Preview).

I have configured this for my WVD lab environment, and I’m sharing the results in this blog post.

Setting up support for FIDO2 security keys for Azure Active Directory as an administrator is relatively easy. Go to the Azure Portal, browse to Azure Active Directory and under Security you will find the Authentication Methods blade.

Here you can enable FIDO2 security Key support.

A user can browse to myprofile.microsoft.com where he is able to add a security key.

 I my case I added a Yubikey 5 NFC, which is a USB key with gesture support.

When I now logon to Windows Virtual Desktop (in this case using the Windows Client) I have the option to select Sign In with Windows Hello or security key.

 It first asks me to enter my associated pin

And after that allows me to provide my gesture.

Upon doing that, the Windows Virtual Desktop client logs on and I have my applications and desktops available!

The same is obviously true for the HTML5 (Web) client that WVD also provides. The screenshot below shows the logging on to the Web Client with the same security key.
This concludes my first test of Windows Virtual Desktop secured by a FIDO2 security key. More to come!

No comments:

Post a Comment