“Account Takeover” or ATO (illegitimate account takeover) fraud is among the most important cyber-security threats for both companies and consumers and is constantly increasing.

In this article we talked about the FIDO2 authentication standard and how it adopts innovative solutions to make online (cloud/web) multi-factor user authentication more robust compared to modern attack methods. In particular, FIDO2 authentication replaces the usual knowledge-based security factors with “possession” and/or “presence” ones and is based on public key cryptography methods that exclude the storage on servers of critical information for the authentication. A further strong point is that of providing end users with a faster, simpler and more practical authentication experience for online services, thus also reducing the vulnerabilities introduced by human behaviour. In this way, the usual authentication methods can be replaced with a login experience that is more secure for the company and faster and more appreciated by users.

Praim thin clients also support the use of compliant devices for authentication with FIDO2 workflows in VDI environments. Recently, both on our endpoints with the Praim customized Windows 10 IoT operating system and on our Linux-based ThinOX operating system, we have integrated and verified the functioning of the FIDO2 virtual channel to log in to the Citrix cloud, using FIDO2 devices to increase security and usability during authentication.

A possible advanced use case that integrates the best state-of-the-art technologies and tested by us, for example, replaces the classic authentication based exclusively on domain username and password with the FIDO2 authentication of Microsoft’s Entra ID (the new name chosen by Microsoft for the evolution of what was previously Azure Active Directory) to log in and recognize users on the Citrix cloud portal.

Authentication choices on the Citrix portal

In this case, users can be provided with a personal FIDO2 device whose management and enrollment is carried out on the Microsoft portal which, in addition to being used to manage identities and access to the Citrix VDI, can also act as a single service for user authentication also on other productivity and collaboration tools used in the company, such as Office 365, Microsoft Teams, etc.

In the Azure portal the user is prepared to log in with a FIDO2 USB stick, then, subsequently, he will register with the specific key assigned to him.

Creation of the “FIDO2” user registered with the “Thetis” key

In our use case, the user was assigned a Thetis USB stick, with which a three-factor security authentication workflow was created: to the request to enter a PIN (user knowledge factor) the FIDO2 device adds two further factors: (i) possession of the secure device (FIDO recognized USB stick) and (ii) the need for physical interaction in person, which occurs by pressing a button on the stick.

The type of protection chosen in this example is “strong” compared to an attack from outside or a remote one. In fact, it doesn’t allow to simulate the user presence to carry out fictitious authentication, but you need to be physically at the workstation to press the button. However, it may not be sufficient to defend against attacks by insiders who, after having spied on the user or learned his personal PIN, may have access to his desk while he’s absent, perhaps leaving the USB key unattended. This also requires the hacker to carry out his actions in person and without the possibility of automating access. Using, for example, a FIDO2 key that also requires a fingerprint would instead guarantee the company an even more robust workflow even with respect to internal attacks, making it more complex to overcome another user’s “possession factor”. Obviously, it’s up to each organization to understand the right balance between costs, security, procedural requirements and user experience, based on its own context and the criticality/sensitivity of the systems and information to which its employees have access.

Returning to the infrastructural and configuration aspects, it’s possible to further customize the authentication experience with incremental protection and maximum flexibility of use. On portals that support FIDO2, as in the Microsoft case in our example, it’s possible to decide and select the personal device model required for the authentication, by setting “Key Restriction Policies” that specify which security keys to use through the Authenticator verification Attestation GUID (AAGUID). In fact, each FIDO2 device possesses and provides its own AAGUID during the attestation phase which describes its type and properties. The use of “Restriction Policies” is useful, in particular, to set certain minimum-security levels, for example by imposing that only devices with specific characteristics can be used, in particular if they must be capable of biometric recognition, which connection mode they should use (e.g. USB or NFC) or others.

Furthermore, in our VDI use case, it is also possible to have credential pass-through between the Citrix Cloud portal and the user sessions launched by configuring the Citrix FAS (Federated Authentication Service). Once in a Citrix session, it is thus possible to continue using the FIDO2 key also to authenticate in other company programs or on web portals accessed by the user through his virtual space. In this case, all exchanges with the FIDO2 key (such as the PIN request and button pressing) are managed directly by the Citrix Workspace App client, which transmits all authentication information securely via the appropriate virtual channel.