top of page
Blog article

Blog article

Shiraishi

Remote Desktop Using Passkey with YubiOn FIDO Logon

Today, we have released a new version (3.0.0.1) of YubiOn FIDO Logon. It will be a major update since the logon using smartphone update last September.

With this update, you can now log into Remote Desktop using a Passkey!


YubiOn FIDO Logon interacted directly with USB devices and smartphone BLEs. So until now, it was only available in remote environments such as the redirection of USB devices. However, by using the WebAuthn redirect mechanism implemented by Microsoft last year on the remote desktop, it is now possible to transfer only the contents of Passkey authentication to the connectors instead of the USB device itself. This renovation will use the function of this WebAuthn redirect to perform passkey authentication at the connection source when connecting to a remote desktop. I think that it has become a product that can be more flexible by supporting accessing a company computer with remote work or remotely accessing a computer in the data center.


■Try a remote desktop with passkey logon (FIDO logon)

First, let's look at the actual operation, after registering YubiOn FIDO Logon, installing the client application on your computer, and setting the registration code.


As a prerequisite, the OS of both PCs you are connecting to and from must be Windows 11, 10, or Server 2022(※1). And of course, Remote Desktop must be allowed. The PC you are connecting to needs to have FIDO Logon installed. (※2) This time, I will work with both of the PCs on Windows 11.

(※1)Some functions are restricted depending on the OS, but we will discuss that later.

(※2)Of course, there is no problem if the FIDO Logon is installed on the PC you are connecting from.


① Register an authenticator

First, let's register an authenticator. You can also register an authenticator on a Remote Desktop. Connect to the Remote desktop using the conventional connection method, and start the Setting tool on the PC you are connecting to. Once launched, open "Authentication settings".

When you operated on your PC directly, the "Register smartphone" and "Register security key" buttons were displayed, but when connecting via Remote Desktop, the "Register authenticator remotely" button appeared. (※3) Click this button to register.

(※3)There is also a new checkbox for "Register as DiscoverableCredential", but this is the same as the setting when registering an authenticator from the WEB. Please check this out for details.

After communicating with the server via FIDO Logon for a while, a FIDO authentication dialog will be displayed on the PC you are connecting to. Those of you who use passkeys or FIDO authentication on the WEB may already know this, but this is the standard Windows passkey authentication dialog.

This time I will register a security key. So follow the instructions in the dialog to register the security key. After being given some instructions about the information to be obtained from the security key, the registration process will proceed by touching the key if it is a fingerprint authentication key, or entering the PIN and touching the key if it is a PIN authentication key.

If you continue, a standard Windows dialog box will appear, and a registration completion message will also appear on the Setting tool screen on the PC you are connecting to. Now you are ready for authentication.


② Remote Desktop Login

Next, let's try an actual login.

This time, I will explain the process from connecting to a Remote Desktop. So let's sign out and disconnect the Remote Desktop connection. After signing out from the Start menu, open the Remote Desktop app again on the PC you want to connect from and proceed as you would usually do with a Remote Desktop Connection.

In the case of a typical Remote Desktop Connection, the screen shown above will be displayed, and once you enter your ID and password, the logon desktop will be displayed. FIDO authentication with FIDO Logon requires regular password authentication here, and then FIDO authentication again on the PC you are connecting to. I will explain why it is formatted like this later, but first, enter your ID and password as you normally would.

When the Remote Desktop screen opens, the FIDO authentication dialog will appear on the PC you are connecting from, just like when you registered. (※4) Follow the instructions in the dialog to proceed with security key authentication.

(※4)If it doesn't appear, you may need to select the YubiOn FIDO Logon icon in "Sign-in options".

This will look almost the same as when you registered. If necessary, you will need to enter a PIN to authenticate.

Once authentication is complete, you will be asked to enter your password on the PC you are connecting to, for the first time only. This is the same as when logging on directly. Once you enter the password, you will not be asked for it again.

The PC you are connecting to was displayed successfully on the Remote Desktop.


■ Technical talk ① - Authentication when connecting to a Remote Desktop:

Many people who usually use Remote Desktop Connection enter their ID and password on the PC they are connecting from before connecting. The ID and password you enter at this time are the ID and password required to pass the "Network Level Authentication (NLA)" authentication for Remote Desktop Connection. In fact, within Windows, authentication is performed twice when connecting to a Remote Desktop.

Windows standard

After FIDO Logon is installed

Network Level Authentication - Performed when connecting to a Remote Desktop. If this authentication is passed, input and output (screen display, keyboard, mouse input, etc.) can be shared.

Windows Logon authentication - Performed when logging on to the PC you are connecting to, similar to the authentication required when operating on the PC directly. Normally, if the authentication in ① has been cleared and you can log on with the same authentication information, it will be skipped.


YubiOn FIDO Logon is a product that strengthens the Windows logon authentication② and does not support the Network Level Authentication①. If you are concerned about the increased operational load on users, it may be a good idea to store authentication information on the PC you are connecting from. Regarding strengthening the security of the Network Level Authentication part, we are not aware of any products that directly do that. Please consider strengthening the protection of the connection path such as Windows Server RD Gateway and VPN tunneling.


■ Technical talk ② - OS-specific constraints on WebAuthn redirection:

The mechanism of WebAuthn redirection is implemented in a common process called WebAuthnAPI on Windows, but the available functions of this API are different depending on the version of Windows. They are roughly divided into Windows 10 series and Windows 11 series. Regarding authentication using external authenticators used in FIDO Logon (security key authentication and cross-device authentication(※5)), whether cross-device authentication is possible or not is different.

Windows10

Windows11

・Windows 10 series: Cross-device authentication is not possible.

・Windows 11 series: Cross-device authentication possible.

However, when using these with WebAuthn redirection, availability is determined not by which Windows the PC you connecting to is, but by which Windows the PC you connecting from is. In other words, even if the PC you are connecting to is Windows 10, if you connect via Remote Desktop from a Windows 11 PC, you can log on with your smartphone. Conversely, even if the PC you are connecting to is Windows 11, if you connect via a Remote Desktop from a Windows 10 PC, you will not be able to log on with a smartphone.

(※5)This has been introduced as Hybrid authentication in previous blogs and as a function of FIDO Logon, it refers to smartphone authentication. It seems that FIDO-related specifications are relatively often renamed.


■Summary

This time, I explained the Remote Desktop login function that was added in the update of YubiOn FIDO Logon. Until now, we have recommended YubiOn Portal to customers considering using Remote Desktop, but recently, with the spread of passkeys, we have seen an increase in requests to use Remote Desktop with FIDO Logon. We hope that we have been able to meet the needs of such customers.


The free version has the same functionality as the paid version and can be tried for three months. So please give it a try.


■Related links

[YubiOn FIDO Logon]


[YubiOn FIDO Logon overview page]


bottom of page