Citrix Virtual Apps and Desktops

FIDO2 and WebAuthn authentication

Local authorization and virtual authentication using FIDO2 and WebAuthn

Users can authenticate to applications that leverage FIDO2 or WebAuthn in their virtual session using FIDO2 security keys and integrated biometrics devices with TPM 2.0 and Windows Hello.

For more information about FIDO2, see FIDO2: WebAuthn & CTAP.

For information about using this feature, see FIDO2 redirection.

NOTE

Please note that this feature does not support logging into the virtual session using WebAuthn or FIDO2. This feature only allows using these authentication methods in applications within the virtual session.

This feature is not supported in double-hop scenarios.

Supportability matrix

Session host operating system Web application authentication UWP application authentication
Windows Server 2016 Supported via USB redirection Not supported
Windows Server 2019 Supported Not supported
Windows Server 2022 Supported Supported
Windows 10 Supported Supported
Windows 11 Supported Supported

For additional information, please review the requirements below.

Web application authentication

Requirements

The following are the requirements for using FIDO2 and WebAuthn authentication with web applications:

Citrix control plane

  • Citrix Virtual Apps and Desktops 2009 or later

Session host

  • Operating system
    • Windows 10 1809 or later
    • Windows Server 2019 or later
  • VDA
    • Windows: version 2009 or later

Client device

  • Operating system
    • Windows 10 1809 or later
    • Linux: Please refer to the Workspace app for Linux system requirements
  • Workspace app
    • Windows: version 2009.1 or later
    • Linux: 2303 or later

Web browser requirements

  • 64-bit browsers only

Authentication methods supported

  • FIDO2 Security Key
  • Windows Hello
    • TPM 2.0
    • Integrated biometrics
      • Facial recognition
      • Fingerprint scanner
    • WebAuthn

UWP application authentication

With the release of Citrix Virtual Apps and Desktops 2112, Citrix supports WebAuthn and FIDO2 authentication in UWP applications.

Applications such as Microsoft Teams, Microsoft Outlook for Office 365 and OneDrive use a UWP application for authentication as a link to Azure Active Directory. Citrix now supports using FIDO2 to authenticate those applications.

Requirements

The following are the requirements for using FIDO2 and WebAuthn authentication with UWP applications:

Citrix control plane

  • Citrix Virtual Apps and Desktops 2112 or later

Session host

  • Operating system
    • Windows 10 1809 or later
    • Windows Server 2022 or later
  • VDA
    • Windows: version 2112 or later

Client device

  • Operating system
    • Windows 10 1809 or later
    • Linux: Please refer to the Workspace app for Linux system requirements
  • Workspace app
    • Windows: version 2009.1 or later
    • Linux: 2303 or later

Authentication methods supported

  • FIDO2 Security Key
  • Windows Hello
    • TPM 2.0
    • Integrated biometrics
      • Facial recognition
      • Fingerprint scanner
    • WebAuthn

Note:

In scenarios where FIDO2 redirection is not available because the feature is not supported by the client or VDA or the operating system, USB based FIDO2 keys can be redirected using USB redirection. It is also possible to use USB redirection to redirect USB based FIDO2 keys in scenarios where FIDO2 redirection is available. In this case, you must disable FIDO2 redirection and configure the appropriate USB redirection rules. Please refer to the USB redirection device rules documentation for details on how to configure USB redirection rules.

FIDO2 and WebAuthn authentication