Blog Post

Core Infrastructure and Security Blog
7 MIN READ

Passwordless RDP Authentication for On-Prem Servers with Smart Cards (FIDO2 Security Key)

Farooque's avatar
Farooque
Icon for Microsoft rankMicrosoft
Apr 07, 2025

Enable secure, passwordless RDP access to on-prem servers using Smart Cards with FIDO2 Security Keys. This approach leverages Kerberos PKINIT and certificate-based authentication to enhance protection and eliminate password risks.

Hello Everyone, in my previous blog, I discussed how to use FIDO2 Security Key Passwordless Authentication with Entra or Hybrid Joined devices for Remote Desktop Connection. In this blog, we will dis...
Updated Apr 06, 2025
Version 1.0
Active Directory
Domain
fido2
passwordless
Passwordless Authentication
smartcard
mamoreau's avatar
mamoreau
Iron Contributor
Apr 08, 2025

This is a great guide on how to set up smartcard authentication for RDP, but how is this FIDO2? The type of authentication shown here leverages WinSCard APIs, not WebAuthn APIs, you can only get true FIDO2 with RDS AAD authentication

ajf8729's avatar
ajf8729
Copper Contributor
Apr 08, 2025

This, 100%. FIDO2 and PIV are two different technologies altogether. Not all security keys support PIV, in fact, Yubico's "security key" is ONLY FIDO2, and you need a full YubiKey to support both FIDO2 and PIV. Great article about setting up PIV, but needs some serious clarifications.

  • Farooque's avatar
    Farooque
    Icon for Microsoft rankMicrosoft
    Apr 08, 2025

    Hey ajf8729, I completely agree with your point. In fact, I specifically mentioned in my blog that we're using a smart card, and highlighted that some vendors provide the PIV feature in their security keys. In my case, I’m using a YubiKey which supports PIV and allows storing a certificate securely. The reason I included “FIDO2 security key” in the title was to raise awareness so that if someone is planning to buy a security key, they can also look for PIV support in case their use case requires it.

    Appreciate your input!