By Fredrik Brattstig @virtualbrat
25 March 2025 – In the past few weeks virtualbrat.com has published articles about PIV authentication using smart cards and YubiKeys – It’s time for a follow-up, and this time it is a brand-new technical breakthrough – FIDO2 Authentication!
IGEL CTO Matthias Hass announced the Fido2 authentication for Azure Virtual Desktop and Windows 365 during IGEL Now & Next 2025 today!
Fido2 auth is frequently asked for and can be seen as a evolution or replacement for the ‘legacy’ smart card secure authentication. Fido2 improves authentication speeds, and the security sticks comes in a nice format.
I have been playing with specifically YubiKeys, and they come in multiple variants, where I like the YubiKey 5c Nano, in the one user – one device. But for the multi-user – one device I like the YubiKey 5 and 5c better (comes with either USB-A or USB-C interface).
As the title say, IGEL has Fido2 authentication for Windows 365 and AVD coming very soon, there is more to it. To enable Fido2 auth, we also needed to implement support for RDSAADAUTH, let med describe what this means:
Connecting to AVD and W365 is a three-step process (simplified), first you authenticate to EntraID web pages, then you authenticate to the Azure Gateways, and finally you Authenticate to the VM you want to remote. With the previous versions of the Microsoft RDClientSDK, the three steps were only possible to be done using credential stuffing before RDSAADAUTH. This means capturing the username and password from the user, and then in a secure manner provide the captured credentials in the connection process. RDSAADAUTH that is enabled in the RDClientSDK changes the game. Simplified, it gives the user the possibility to Authenticate to EntraID, to retrieve a token, RDSAADAUTH then takes this token and presents it to the Azure Gateways and the VM. This is the preferred way of modern Entra Authentication.
RDClientSDK version 3, which is the foundation of the IGEL AVD App 1.3.x where the 3 stands for the SDK version that the App is based on. It gave IGEL access to Microsoft Authentication Library (MSAL) and RDSAADAUTH. For the smart card authentication, MSAL was the key, as it embeds the smart card authentication. I believe that you have seen the YubiKey PIV blog, if not, you can find it here: https://virtualbrat.com/2025/02/17/windows-365-access-with-yubikeys-do-you-use-windows-365-and-or-avd-transitioning-from-cac-piv-smart-cards-to-yubikey-or-other-security-keys-with-cac-piv-functionality-or-mixing-both-igel-os-can/
When IGEL built out the configuration to benefit from RDSAADAUTH, the next step was to build the Fido2 integration. When a user has Security Key authentication method enabled, and Entra calls for a security pin and to prove presence, we needed to add code to catch that event and provide what Entra requires. This is done and here is the result:
IGEL has full focus of providing an updated IGEL AVD App, through the IGEL App Portal, I expect a few weeks until we can release this to the public. Keep your eyes open and check for IGEL AVD 1.3.2 coming soon!
IGEL will now be able to provide you a choice to access your AVD or Windows365 workloads using the following authentication methods:
- Username/Password + MFA
- Certificate Based Authentication using smart cards
- Certificate Based Authentication using YubiKey PIV
- Fido2 authentication
- Imprivata Tap-and–Go
That with the many options of customizing the user interface, everything from a clean Kiosk interface ‘Boot to AVD/Windows365’ providing a very simple access stations, to any type of desktop integration, and customization of the user experience with customized graphics, IGEL address any use case. And with IGEL you are not locking yourself in for one single service, for IGEL it is all about the customer having the choice!
Thank you for reading!
/Fred
VirtualBrat 