Enable Passwordless Authentication with FIDO Security Key for Remote Desktop Connection

By /

Listen to this Post

Passwordless authentication is the future of secure access, and FIDO2 security keys provide a robust solution for Remote Desktop Protocol (RDP) connections. By eliminating passwords, you reduce phishing risks and align with Zero Trust security principles.

Remote Desktop Connection Configuration

1. Launch `mstsc.exe` (Remote Desktop Connection).

2. Go to the Advanced tab.

  1. Under User Authentication, select “Use a web account to sign in”.
  2. Enter the remote device name and your Entra ID credentials.

5. When prompted, choose Security Key.

  1. Insert your FIDO2 key, enter the PIN, and touch the key to authenticate.
  2. Approve the RDP consent prompt to start your session.

Hybrid Entra ID-Joined Devices Setup

For hybrid environments (Entra ID + on-prem AD), follow these steps:
1. Create an AzureADKerberos RODC object in Entra ID (not linked to on-prem AD).
2. Use PowerShell to register it and enable Kerberos authentication: 

New-AzureADKerberosServer -DomainName "yourdomain.com" -ComputerName "SERVERNAME"

3. Verify the object in Active Directory Users and Computers.
4. Follow the same RDP steps as for Entra ID-joined devices.

Conditional Access for RDP Security

Enforce strict access control:

  1. Go to Entra ID Portal → Security > Conditional Access.
  2. Assign users/groups and select Microsoft Remote Desktop as the app.

3. Under Grant, require Phishing-resistant authentication (FIDO2).

4. Save and enable the policy.

You Should Know:

  • Avoid using domain admin accounts for hybrid-join logins—partial TGT won’t be issued.
  • Verify FIDO2 key compatibility with your OS (Windows 10/11, Linux with PAM modules).
  • Linux Alternative: Use `pam-u2f` for FIDO2 authentication: 
    sudo apt install libpam-u2f 
pamu2fcfg > ~/.config/Yubico/u2f_keys
  • Windows Command: Check RDP session security with: 
    qwinsta /server:SERVERNAME
  • Audit Logs: Monitor Entra ID sign-ins with: 
    Get-AzureADAuditSignInLogs -Filter "createdDateTime gt $((Get-Date).AddDays(-1))"

What Undercode Say:

FIDO2 keys provide a phishing-resistant, passwordless future. However, ensure proper Kerberos ticket handling in hybrid setups and enforce Conditional Access policies. For Linux admins, `pam-u2f` integrates FIDO2 seamlessly. Always audit RDP sessions and enforce MFA where possible.

Expected Output:

A secure, passwordless RDP session authenticated via FIDO2 key, with Conditional Access policies enforcing phishing-resistant MFA.

Read More: FIDO2 for RDP

References:

Reported By: Max Neo0218 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: