Enhancing security with WebAuthn redirection in Amazon WorkSpaces

In today’s security-conscious world, organizations are implementing strong authentication methods for applications running inside virtual desktop environments. A common challenge is enabling users to leverage their local security keys and biometric devices with applications running inside a remote desktop session. Amazon WorkSpaces now addresses this challenge with WebAuthn redirection, allowing users to seamlessly use their local FIDO2-compatible authentication devices with applications running inside their Windows and Linux WorkSpaces. This redirection capability bridges the gap between physical and virtual environments, enhancing security without compromising productivity.

What is WebAuthn and why does it matter in virtual desktops?

Web Authentication (WebAuthn) is an open standard that enables strong, passwordless authentication using hardware security keys, biometrics, and platform authenticators like Windows Hello. By using WebAuthn redirection in Amazon WorkSpaces, users can leverage the same authentication methods in their virtual desktop that they use on their local devices, providing a consistent experience across environments while enhancing security.

WebAuthn redirection bridges the gap between your local authentication devices and remote applications. When an application inside your WorkSpace requests WebAuthn authentication, that request is securely redirected to your local device, allowing you to authenticate with your security key or biometric authenticator.

Implementation Options

Amazon WorkSpaces offers two approaches to WebAuthn integration:

Standard WebAuthn (Windows and Linux WorkSpaces) uses browser extensions to facilitate WebAuthn redirection, ensuring compatibility across different platforms. This implementation works with popular browsers including Microsoft Edge, Google Chrome, and Chromium.

Enhanced WebAuthn (Windows WorkSpaces) eliminates the need for browser extensions, providing a streamlined experience. Key benefits include:

• No browser extension required
• Support for WebAuthn in both web browsers and native Windows applications
• Improved authentication performance
• Seamless experience across different application types.

Both approaches enable users to authenticate with a variety of FIDO2-compliant devices including YubiKeys, Windows Hello, and other biometric authenticators.

Business Benefits

WebAuthn Redirection for Amazon WorkSpaces helps organizations:

• No USB redirection required – Use security keys and biometric authenticators without the complexity of USB device management
• Seamless authentication experience – Users authenticate to applications in their WorkSpace using their local devices without additional configuration
• Consistent security implementation – Apply the same authentication policies across physical workstations and virtual desktops
• Zero additional hardware cost – Leverage existing authentication devices without purchasing specialized equipment for virtual environments

Availability

WebAuthn support is available today in all AWS Regions where Amazon WorkSpaces is offered. It works with:

• Windows WorkSpaces bundles with DCV (both Enhanced and Standard WebAuthn)
• Linux WorkSpaces bundles (Standard WebAuthn)
• Amazon WorkSpaces clients for Windows, macOS, and Linux

There is no additional charge for using WebAuthn redirection with Amazon WorkSpaces.

Getting Started

To enable WebAuthn redirection in your WorkSpaces environment:

• Ensure your WorkSpaces are running the latest version of the WSP host agent (version 2.0.0.1425 or higher on Windows and version 2.1.0.1923 or higher on Linux WorkSpaces)
• Verify your WorkSpaces client is updated to version 5.29.0 or higher
• Ensure WebAuthn is enabled through GPO on the WorkSpace. The feature is enabled by default.

Conclusion

WebAuthn redirection in Amazon WorkSpaces eliminates the traditional barriers between local authentication devices and virtual desktop applications. By enabling your users to authenticate with their familiar FIDO2-compatible devices directly within their WorkSpaces, you can strengthen security while maintaining the productivity your organization depends on. Get started today with WebAuthn redirection and transform how your users authenticate in virtual desktop environments. For detailed implementation instructions, refer to the WebAuthn Redirection section of the WorkSpaces administrator guide.

.                                                              .

Chirag is a Senior Product Manager for Amazon DCV, where he works with enterprise customers on remote work and virtualization solutions. He is passionate about building products that solve real business challenges while delivering intuitive user experiences.