webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

Support for remote desktops

Open agl opened this issue 4 years ago • 14 comments

Initially filing this as a placeholder for the level three charter:

As WebAuthn becomes more common (yay!) the need to support remote desktop products becomes more salient. This is delicate because a remote desktop violates the proximity assurances of WebAuthn, but we'll struggle to save the world from passwords if we don't support them.

Thus in level three we may wish to consider things like additional CollectedClientData fields for this and I wouldn't want charter questions to exclude that.

agl avatar Feb 24 '21 19:02 agl

This'll be an interesting issue to solve. I can't imagine a browser running in a VM is going to have any insight into the fact that USB passthrough is being used to expose a roaming authenticator (plugged into the client running remote desktop) to it for it to report that back within clientDataJSON...

MasterKale avatar Feb 24 '21 19:02 MasterKale

The rough design that we have in mind would avoid those issues, although we're only flagging it for the charter for now.

agl avatar Feb 24 '21 20:02 agl

I think that this is already working out of the box on Windows 10 for NFC authenticators (see https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services).

serianox avatar Apr 15 '21 19:04 serianox

Definitely not working with Okta/webauthn via Remote Desktop (never even get the prompt, have both USB yubikey + windows hello configured for the account):

image

kzu avatar Nov 17 '21 18:11 kzu

Tested, and working out of the box with remote desktop in NFC. In HID, required to configure forwarding of the USB device first. Both local and remote station were running Windows 10.

In case the remote desktop protocol doesn't forward PCSC, I suppose that forwarding the CCID is enough to get NFC working, in the same fashion as forwarding USB for HID. Capture

serianox avatar Nov 18 '21 22:11 serianox

Hi @serianox, Could you explain how you did it with USB HID? I use RDP and tried redirection of the FIDO token device with RemoteFX, Donglify and USB over Ethernet. All three make the token visible in the device manager and I can access it in the Windows security token configuration. But every website gives me the same error as kzu showed.

Tested, and working out of the box with remote desktop in NFC. In HID, required to configure forwarding of the USB device first. Both local and remote station were running Windows 10.

In case the remote desktop protocol doesn't forward PCSC, I suppose that forwarding the CCID is enough to get NFC working, in the same fashion as forwarding USB for HID. Capture

seism0saurus avatar May 05 '22 07:05 seism0saurus

@seism0saurus The remote desktop application probably needs to be launched in administrator, because it is accessing the FIDO device directly, and not through Windows' webauthn.h.

serianox avatar May 06 '22 10:05 serianox

@serianox that did not help. Which RDP tool are you using? It does not look like the built in RDP tool from windows.

seism0saurus avatar May 09 '22 06:05 seism0saurus

@serianox I'd love to know your setup for RDP with USB HID if possible please? =)

What RDP client did you use, and did you have to do anything on the server/client to enable this?

victorhooi avatar Jul 23 '22 00:07 victorhooi

It was done with VMware Horizon, with the following setup:

  • VMware Horizon Client launched as administrator (since it access to the raw FIDO devices, and not through webauthn.dll),
  • USB forwarding for FIDO HID,
  • nothing specific for NFC thanks to Windows Smart Card Remote Desktop Services,

serianox avatar Jul 24 '22 19:07 serianox

Can someone explain to me what is happening here. I have a YubiKey connected to a Dell Wyse 3040. ThinOS RDP connection to a Windows 10 machine. When I try to authenticate, it says press the button on my key and when I do, it fails to authenticate. I was expecting it to either work or not do anything. How is it able to detect that I am connected remotely or why else is it failing?

charlespick avatar Feb 06 '23 23:02 charlespick

Can someone explain to me what is happening here. I have a YubiKey connected to a Dell Wyse 3040. ThinOS RDP connection to a Windows 10 machine. When I try to authenticate, it says press the button on my key and when I do, it fails to authenticate. I was expecting it to either work or not do anything. How is it able to detect that I am connected remotely or why else is it failing?

I don't think this is a question for the webauthn wg since this is about spec design. For windows RDP specific details, you need to query microsoft and their docs. Specifically you should look at: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpewa/68f2df2e-7c40-4a93-9bb0-517e4283a991

Firstyear avatar Feb 07 '23 00:02 Firstyear

Can someone explain to me what is happening here. I have a YubiKey connected to a Dell Wyse 3040. ThinOS RDP connection to a Windows 10 machine. When I try to authenticate, it says press the button on my key and when I do, it fails to authenticate. I was expecting it to either work or not do anything. How is it able to detect that I am connected remotely or why else is it failing?

I don't think this is a question for the webauthn wg since this is about spec design. For windows RDP specific details, you need to query microsoft and their docs. Specifically you should look at: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpewa/68f2df2e-7c40-4a93-9bb0-517e4283a991

interesting that there is custom support for webauthn in rdp. I thought it was just usb tunneling. Thanks

charlespick avatar Feb 07 '23 01:02 charlespick

At some point, this just started working fine for me.

kzu avatar Feb 10 '23 11:02 kzu