Skip to content

KB001: Configure FIDO Login Support for Workspace Client

Last Updated: July 30, 2025

Applies To: Accops Workspace Windows Client 7.2.0.1040 and above

Category: Security & Access Control

Feature Status: Stable

Overview

This guide explains how to configure FIDO-based second-factor authentication for Accops Workspace Windows Client. This feature enables users to authenticate using Windows Hello (PIN, fingerprint) or FIDO2-compliant security keys after password entry. FIDO authentication provides enhanced security through strong second-layer authentication that reduces credential-based attacks and meets regulatory compliance requirements.

Prerequisites

  • Gateway Version: HySecure Gateway 5.4 SP6 or HySecure Gateway 7.0 and above.
  • Client Version: Accops Workspace Windows Client 7.2.0.1040 or higher.
  • Administrative Access: Security Officer or Administrator access to HySecure Management Console.
  • Windows Configuration: Windows PIN or Biometric settings activated on endpoint device.
  • Network Connectivity: HTTPS connectivity between client and HySecure Gateway.
  • Knowledge Requirement: Understanding of HyID policy configuration and multi-factor authentication concepts.

Benefits

  • Enhanced Security: Strong second-layer authentication significantly reduces credential-based attacks and unauthorized access attempts.
  • Regulatory Compliance: Meets multi-factor authentication requirements for HIPAA, SOX, PCI-DSS, and other regulatory standards.
  • Improved User Experience: Seamless biometric authentication eliminates complex token management and reduces password dependency.
  • Passwordless Foundation: Establishes infrastructure for transitioning to passwordless authentication models in future implementations.

FIDO Authentication Methods

Windows Hello Integration

  • Description: Native Windows biometric authentication using PIN, fingerprint, or facial recognition.
  • Use Case: Ideal for corporate-managed Windows devices with built-in biometric sensors.
  • Requirements: Windows 10/11 with Windows Hello configured and active.

FIDO2 Security Keys

  • Description: Hardware-based authentication tokens supporting FIDO2/WebAuthn standards.
  • Use Case: Suitable for high-security environments requiring physical authentication tokens.
  • Requirements: FIDO2-compliant hardware keys (YubiKey, Microsoft Security Key, etc.).

Platform Support

Client Mode Windows 8/8.1 Windows 10/11 Server 2016-2025 Support Level
Full Admin Client Yes Yes Yes Full Support
HyBrid Mode Yes Yes Yes Full Support
HyLite Mode Yes Yes Yes Full Support
On-Demand Client Yes Yes Yes Full Support

Procedure Part 1: Gateway Configuration

Step 1: Create HyID Policy with FIDO Token

  1. Access Management Console
  2. Login to HySecure Management Console as Security Officer or Administrator.

  3. Navigate to Policies > HyID Policies section.

  4. Create New HyID Policy

  5. Click Add or Create New Policy button.
  6. Enter policy name (e.g., "FIDO-Authentication-Policy").

  7. Set policy description: "FIDO-based second-factor authentication policy".

  8. Configure FIDO Token Settings

  9. In the Authentication Methods section, enable FIDO Token.
  10. Set Authentication Type to Second Factor Authentication.
  11. Configure Token Validity Period (recommended: 30 days).
  12. Enable Device Registration Required for first-time users.

[IMAGE PLACEHOLDER: HyID Policy FIDO token configuration interface]

Step 2: Configure Gateway Hostname Settings

  1. Navigate to Site Configuration
  2. Go to Management Console > Sites > [Your Site Name].

  3. Locate the "Public IP Address and Port" field.

  4. Set Gateway Hostname

  5. Critical Requirement: Specify Gateway Address as hostname (not IP address).
  6. Example: gateway.company.com:443 instead of 192.168.1.100:443.

  7. This hostname configuration is required for FIDO authentication to function properly.

  8. Verify DNS Resolution

  9. Ensure the hostname resolves correctly from client devices
  10. Test DNS resolution: nslookup gateway.company.com
  11. Confirm SSL certificate matches the configured hostname

[IMAGE PLACEHOLDER: Site configuration with hostname setting]

Step 3: Assign HyID Policy to Users

  1. User Policy Assignment
  2. Navigate to Users → [Username] → Policies
  3. Assign the created FIDO HyID policy to target users

  4. Set policy priority if multiple authentication policies exist

  5. Group Policy Assignment (Alternative)

  6. Navigate to Groups → [Group Name] → Policies
  7. Assign FIDO policy to user groups for bulk deployment
  8. Verify policy inheritance for group members

Procedure Part 2: Client Device Configuration

Step 1: Configure Windows Authentication Methods

  1. Enable Windows PIN
  2. Navigate to Windows Settings → Accounts → Sign-in Options
  3. Click PIN (Windows Hello) section
  4. Click Set up and follow the PIN creation wizard

  5. Create a minimum 6-digit PIN following organizational policy

  6. Enable Biometric Authentication (If Available)

  7. In Sign-in Options, locate Fingerprint (Windows Hello) or Face (Windows Hello)
  8. Click Set up for available biometric methods
  9. Complete biometric enrollment following on-screen prompts

  10. Test biometric authentication functionality

  11. Verify Windows Hello Status

  12. Confirm "Windows Hello is ready to use" message appears
  13. Test Windows Hello authentication with Windows lock screen
  14. Ensure biometric sensors function correctly

[IMAGE PLACEHOLDER: Windows Hello configuration interface]

Step 2: Install FIDO2 Security Key** (If Using Hardware Tokens)

  1. Hardware Key Setup
  2. Insert FIDO2-compliant security key into USB port
  3. Navigate to Windows Settings → Accounts → Sign-in Options

  4. Click Security Key section and select Set up

  5. Key Registration Process

  6. Follow Windows prompts to register security key
  7. Create key PIN when prompted (different from Windows PIN)

  8. Test security key functionality with Windows authentication

  9. Verify Key Recognition

  10. Confirm security key appears in Windows Hello devices
  11. Test key responsiveness and LED indicators
  12. Ensure key firmware is updated to latest version

Configuration Examples

Example 1: Corporate Environment with Windows Hello

Configuration:

  • HyID Policy: FIDO-Corporate-Policy
  • Authentication Method: Windows Hello PIN + Fingerprint
  • Gateway Hostname: vpn.corporation.com
  • Token Validity: 30 days
  • Registration Mode: User self-registration on first login

Use Case: Standard corporate deployment with company-managed Windows 10/11 devices equipped with fingerprint sensors Benefits: Seamless user experience with strong biometric authentication and centralized policy management

Example 2: High-Security Environment with Hardware Tokens

Configuration:

  • HyID Policy: FIDO-HighSecurity-Policy
  • Authentication Method: YubiKey 5 Series FIDO2 token
  • Gateway Hostname: secure-gateway.organization.gov
  • Token Validity: 7 days (shorter for high-security)
  • Registration Mode: Administrator-assisted registration

Use Case: Government, financial, or healthcare environments requiring hardware-based authentication Benefits: Maximum security with tamper-resistant hardware tokens and strict validation policies

Example 3: Mixed Environment with Multiple Methods

Configuration:

  • HyID Policy: FIDO-Flexible-Policy
  • Authentication Method: Windows Hello PIN, Fingerprint, and Security Key options
  • Gateway Hostname: remote.company.org
  • Token Validity: 14 days
  • Registration Mode: User choice during registration

Use Case: Diverse user base with varying device capabilities and security requirements Benefits: Flexibility for users while maintaining consistent security standards across organization

FIDO Registration Process

First-Time User Registration

Registration Workflow:

  1. Initial Authentication: User provides username and password credentials
  2. 2FA Selection: User selects FIDO token from available second-factor options
  3. Registration Redirect: System redirects to HyLite registration interface
  4. Method Selection: User chooses from available FIDO methods:
  5. Windows PIN authentication
  6. Biometric authentication (fingerprint/face)
  7. Hardware security key
  8. Device Binding: Selected method binds to user account and device
  9. Registration Completion: Confirmation message indicates successful registration

Registration Security:

  • Device binding prevents cross-device token reuse
  • Cryptographic key pairs generated during registration
  • Private keys stored securely on device/hardware token
  • Public keys registered with HySecure Gateway

Multi-Device Registration

Device Management:

  • Users can register multiple devices with same account
  • Each device maintains separate FIDO credentials
  • Administrative visibility into registered devices per user
  • Capability to revoke individual device registrations

Verification and Testing

Functional Testing

  1. First-Time Registration Test
  2. Create test user with FIDO policy assignment
  3. Perform initial login and complete FIDO registration
  4. Verify registration success and token binding

  5. Expected Result: User successfully registers FIDO method and completes authentication

  6. Subsequent Authentication Test

  7. Logout test user and perform second login attempt
  8. Verify FIDO authentication prompt appears
  9. Complete authentication using registered method

  10. Expected Result: User authenticates successfully without re-registration

  11. Multiple Method Test

  12. Register multiple FIDO methods for single user (PIN + fingerprint)
  13. Test authentication using each registered method
  14. Verify method selection interface functionality
  15. Expected Result: All registered methods function correctly

Integration Testing

  1. Cross-Platform Compatibility Test

    • Test FIDO authentication across different client modes
    • Verify functionality on various Windows versions
    • Test with different hardware configurations
    • Expected Result: Consistent functionality across supported platforms

  2. Network Connectivity Test

  3. Test FIDO authentication over various network conditions

  4. Verify functionality through corporate firewalls and proxies
  5. Test with network interruptions during authentication
  6. Expected Result: Robust authentication under network constraints

Monitoring and Logging

Authentication Event Logging:

  • Successful FIDO authentications: User, timestamp, method used, device identifier
  • Failed authentication attempts: User, failure reason, timestamp, source IP
  • Registration events: New device registrations, method changes, token binding
  • Administrative actions: Policy changes, user assignments, device revocations

Log Analysis:

  1. Navigate to HySecure Management Console > Monitoring > Authentication Logs
  2. Filter by Authentication Type: FIDO for FIDO-specific events
  3. Monitor authentication success rates and failure patterns
  4. Review registration trends and device proliferation

Performance Metrics:

  • Average authentication time for FIDO methods
  • Registration completion rates
  • User adoption statistics
  • Support ticket volume related to FIDO authentication

Security Considerations

Device Security

Endpoint Protection:

  • Windows Hello Security: Biometric data stored locally in Trusted Platform Module (TPM)
  • Hardware Token Security: Private keys never leave FIDO2 security device
  • Anti-Tampering: Hardware tokens include tamper detection and resistance
  • Cryptographic Standards: FIDO2/WebAuthn compliance ensures industry-standard security

Access Control:

  • Device registration limited to authorized users with valid initial credentials
  • Administrative capability to revoke device registrations remotely
  • Policy-based control over acceptable FIDO authentication methods
  • Integration with existing identity and access management systems

Network Security

Communication Protection:

  • All FIDO authentication communications encrypted using TLS 1.2 or higher
  • Certificate validation ensures secure communication channels
  • Protection against man-in-the-middle attacks through certificate pinning
  • Network traffic analysis capabilities for authentication monitoring

Privacy Protection:

  • Biometric data never transmitted over network
  • FIDO tokens generate unique key pairs per service
  • No cross-service tracking or correlation capabilities
  • Compliance with privacy regulations (GDPR, CCPA, etc.)

Troubleshooting

Common Issues:

FIDO Registration Fails:

  • Issue: User cannot complete FIDO token registration during first login
  • Check: Verify Windows Hello is properly configured and functional on endpoint device
  • Verify: Confirm HyID policy includes FIDO token configuration and is assigned to user
  • Solution: Reset Windows Hello settings and re-enable PIN/biometric authentication
  • Prevention: Provide users with Windows Hello configuration guide before FIDO deployment

Authentication Prompt Not Appearing:

  • Issue: FIDO authentication prompt does not appear during login process
  • Check: Verify gateway hostname is configured correctly (not IP address)
  • Verify: Confirm DNS resolution of gateway hostname from client device
  • Solution: Update gateway configuration to use FQDN instead of IP address
  • Prevention: Implement DNS monitoring and certificate management procedures

Hardware Token Not Recognized:

  • Issue: FIDO2 security key not detected by Windows or client application
  • Check: Verify security key is FIDO2/WebAuthn compliant and properly inserted
  • Verify: Confirm latest Windows updates and security key firmware installed
  • Solution: Update security key firmware and reinstall Windows Hello security key configuration
  • Prevention: Maintain inventory of approved security key models and firmware versions

Cross-Device Authentication Issues:

  • Issue: FIDO authentication fails when user switches to different device
  • Check: Verify user understands device-specific nature of FIDO registration
  • Verify: Confirm user has completed registration process on current device
  • Solution: Complete FIDO registration process on each device user intends to use
  • Prevention: User training on FIDO device binding concepts and multi-device workflows

Diagnostic Steps

Registration Diagnostics:

# Windows Hello Status Check
Get-WindowsHelloPIN
Get-WindowsHelloFingerprint
Get-WindowsHelloFace

Network Connectivity Diagnostics:

  1. DNS Resolution Test: nslookup [gateway-hostname]
  2. HTTPS Connectivity Test: Test-NetConnection [gateway-hostname] -Port 443
  3. Certificate Validation: Browser certificate inspection for gateway hostname
  4. Network Path Analysis: tracert [gateway-hostname] for routing verification

Authentication Flow Analysis:

  • Review HySecure authentication logs for FIDO-specific entries
  • Analyze client-side logs for registration and authentication events
  • Monitor network traffic during FIDO authentication process
  • Verify policy application and user assignment through management console

Advanced Configuration

Policy Customization

Advanced FIDO Policy Settings:

  • Token Timeout Configuration: Customize authentication validity periods
  • Method Restrictions: Limit acceptable FIDO methods per user group
  • Device Limits: Configure maximum registered devices per user
  • Fallback Options: Define alternative authentication methods if FIDO fails

Integration with Existing Policies:

  • Combine FIDO authentication with existing password policies
  • Integrate with certificate-based authentication workflows
  • Configure conditional access based on device compliance status
  • Establish risk-based authentication triggers

Note

  • Device Binding: FIDO registrations are specific to individual devices and cannot be transferred between devices.
  • Backup Authentication: Ensure alternative authentication methods remain available during FIDO implementation.
  • User Training: Provide comprehensive user training on FIDO registration and authentication procedures.
  • Support Preparation: Prepare technical support team for FIDO-related user assistance and troubleshooting.

Contact Support: support@accops.com for FIDO Login Support configuration assistance