Palo Alto Networks' Unit 42 has detailed a significant security engineering achievement: the successful integration of WebAuthn into a browser-based Remote Desktop Protocol (RDP) client. This research addresses a critical gap in securing legacy remote access, enabling the use of modern, phish-resistant Multi-Factor Authentication (MFA) for applications within an RDP session. By reverse-engineering Microsoft's undocumented MS-RDPEWA virtual channel protocol and developing a custom browser API, the team bypassed inherent limitations in standard web browser APIs. The result is the first RDP client outside of the native Windows ecosystem to support full WebAuthn redirection, allowing users to authenticate with local security keys (e.g., YubiKey) and platform authenticators (e.g., Touch ID, Windows Hello) to services inside the remote session. This development represents a major step forward in applying Zero Trust principles to legacy infrastructure, significantly hardening RDP against credential-based attacks.
The primary obstacle to integrating WebAuthn with RDP in a browser context lies in the security architecture of modern browsers. When a user in a remote RDP session attempts to authenticate to a service like Okta, the service's server initiates the WebAuthn ceremony. It generates a clientDataJSON object containing the origin (e.g., https://okta.com), a unique challenge, and other parameters. It then sends the SHA-256 hash of this object, known as clientDataHash, over the RDP virtual channel to the client.
The client's job is to pass this clientDataHash to a local authenticator (like a YubiKey) for signing. However, standard browser APIs, such as navigator.credentials.create(), are designed for security and isolation. They refuse to accept a pre-computed hash. Instead, the browser insists on creating its own clientDataJSON based on its own origin (e.g., chrome-extension://...). It then hashes this new object and sends it to the authenticator.
When the resulting signature is sent back to the remote service, the authentication fails because the hash signed by the authenticator does not match the original hash calculated by the server. This clientDataHash mismatch is a fundamental security feature to prevent cross-origin attacks, but it also makes direct redirection of WebAuthn ceremonies over RDP impossible with standard browser tools.
To overcome this, Unit 42 researchers turned to reverse-engineering Microsoft's WebAuthn Virtual Channel Extension, specified as [MS-RDPEWA]. The protocol uses a Dynamic Virtual Channel (DVC) named Microsoft::Windows::RDP.Webauthn to transport CBOR-encoded WebAuthn requests between the server and client.
Initial analysis of the public specification revealed it was incomplete at the time of the research, documenting only four basic commands. The team used IDA Pro, augmented with AI-driven tooling to accelerate the process, to analyze the Windows implementation. This investigation uncovered undocumented internal code paths and two additional commands essential for full functionality:
GetCredentials (Command ID 9)GetAuthenticatorList (Command ID 12)These commands, later added to the specification in March 2026 for Windows 11 24H2+, were critical for discovering and managing credentials stored on authenticators. By tracing the execution flow in the Windows RDP client (mstsc.exe), the researchers were able to map the protocol's behavior and understand how it interfaces with the underlying FIDO2 components, paving the way for a custom implementation.
Since no existing browser API (navigator.credentials, chrome.webAuthenticationProxy, WebHID) could fulfill the requirement of passing a pre-computed clientDataHash to the authenticator, the team built a custom solution. As developers of a Chromium-based browser (Prisma Browser), they were able to create a proprietary extension API.
This custom API mirrors the standard makeCredential() and getAssertion() methods but with one key difference: it allows the caller to supply the clientDataHash directly. This hash is then passed straight to Chromium's robust FIDO2 stack. This approach provides several advantages:
libfido2 (as seen in FreeRDP), this method does not require a separate native application to access hardware, keeping the entire solution contained within the browser sandbox.This thin wrapper around Chromium's existing machinery provides a secure and powerful way to bridge the gap between the remote session and the user's local authenticators.
The business and security impact of this development is substantial. Remote Desktop Protocol remains a primary vector for lateral movement and initial access in enterprise networks, often targeted for its reliance on weaker, password-based authentication.
By enabling FIDO2/WebAuthn, organizations can now enforce phish-resistant MFA on RDP sessions accessing legacy applications. This directly mitigates the risk of credential theft, password spraying, and other attacks targeting Valid Accounts. For industries like finance, healthcare, and government that rely on on-premises applications, this provides a pathway to modernizing security without costly and complex application refactoring or relying on performance-degrading HTML5 gateways.
This capability strengthens Zero Trust architectures by ensuring that every connection, even to legacy systems, is protected by strong, verifiable identity, regardless of the user's location or device.
No Indicators of Compromise (IOCs) are associated with this security research report.
The following patterns could help identify and monitor the usage of WebAuthn over RDP in an environment.
Microsoft::Windows::RDP.WebauthnMicrosoft::Windows::RDP.Webauthn channel is CBOR-encoded. Monitoring for this traffic pattern can help identify authentication events.mstsc.exeWhile this research describes a defensive improvement, security teams can adapt their monitoring strategies to account for this new capability and detect potential misuse of RDP authentication.
Microsoft::Windows::RDP.Webauthn DVC. While its presence is benign in a properly configured environment, an unexpected appearance or anomalous traffic patterns could warrant investigation.Defensive techniques from the D3FEND framework, such as Network Traffic Analysis (D3-NTA) and Process Analysis (D3-PA), are foundational for building a robust RDP monitoring capability.
The primary mitigation is the adoption of the technology itself. To secure RDP access and defend against credential-based attacks, organizations should prioritize the following:
Implementing phish-resistant MFA, such as the FIDO2/WebAuthn method detailed in the research, is the most effective defense against credential compromise for RDP access.
Mapped D3FEND Techniques:
Enforcing strong authentication policies and the principle of least privilege for all user accounts, especially those with remote access privileges, reduces the attack surface.
Isolating RDP access points behind jump hosts or gateways and strictly controlling network paths provides an additional layer of defense by containing potential breaches.
Running RDP clients within a sandboxed browser environment, as demonstrated in the research, limits the potential impact of a compromised client or session on the host machine.
Mapped D3FEND Techniques:
Organizations should prioritize the deployment of phish-resistant MFA for all remote access, especially for protocols like RDP that are frequent targets for credential-based attacks. This research demonstrates the feasibility of using browser-based clients to extend modern WebAuthn/FIDO2 capabilities to legacy on-premises applications accessed via RDP. The implementation should focus on using hardware security keys (YubiKey, etc.) or platform authenticators (Windows Hello, Touch ID) to protect against phishing and credential theft. Security teams should configure conditional access policies to mandate the use of these strong authenticators for all RDP sessions, particularly for privileged users and access to sensitive systems. This approach directly hardens the authentication process for RDP, moving beyond passwords and one-time codes to a more secure, unphishable standard, thereby significantly reducing the risk of unauthorized access via compromised credentials.
To complement strong authentication, security teams should implement Network Traffic Analysis (NTA) focused on RDP connections. Monitor for the creation and use of the Microsoft::Windows::RDP.Webauthn Dynamic Virtual Channel (DVC). While its presence is expected in environments using this feature, establishing a baseline of normal activity is crucial. Configure detection rules to alert on anomalies, such as WebAuthn DVC traffic originating from unauthorized subnets or at unusual times. Furthermore, analyze the metadata of RDP sessions (e.g., source/destination IPs, session duration, data transferred) and correlate it with authentication logs. An alert could be triggered if an RDP session, authenticated with strong MFA, begins exhibiting behavior consistent with lateral movement, such as connecting to multiple new hosts. This provides a critical detection layer to spot potential misuse of a legitimately authenticated session.
In the context of this research, Application Configuration Hardening involves securing the entire RDP ecosystem. This starts with hardening the RDP servers themselves by disabling unused virtual channels and enabling Network Level Authentication (NLA). For the client side, using a managed, Chromium-based browser like Prisma Browser allows for centralized policy enforcement. Administrators can create policies that mandate the use of the WebAuthn redirection feature and disable fallback to weaker authentication methods. This ensures that users cannot bypass the intended security controls. Hardening should also include restricting which users and devices are permitted to initiate RDP sessions and ensuring that the browser and its extensions are always up-to-date to protect against unrelated client-side vulnerabilities. This creates a hardened, policy-driven environment for remote access that minimizes the attack surface.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.