VYPR
researchPublished Jul 2, 2026· 1 source

Palo Alto Networks Integrates WebAuthn into Browser-Based RDP Client

Researchers at Palo Alto Networks have successfully reverse-engineered and integrated WebAuthn authentication into a browser-based RDP client, enabling passwordless access via hardware security keys.

Palo Alto Networks researchers have detailed a significant advancement in remote access security: the integration of WebAuthn authentication into a browser-based RDP client. This development, achieved through extensive reverse-engineering, allows users to authenticate RDP sessions using hardware security keys, effectively eliminating the need for traditional passwords and enhancing overall security.

The project was driven by the need for more flexible and secure remote access solutions. Traditional RDP access often relies on thick clients or browser-based translations that can compromise performance and functionality. Palo Alto Networks' Prisma Browser initiative aims to provide native clients directly within the browser, offering a more robust and feature-rich experience. The integration of WebAuthn addresses a specific user request to leverage security keys for RDP authentication, a capability previously unavailable in many non-Windows RDP clients.

Reverse-engineering the WebAuthn Virtual Channel Extension (MS-RDPEWA) protocol proved to be a complex undertaking. While a specification exists, it was incomplete at the time of the research, particularly regarding undocumented code paths within Microsoft's Windows implementation. The researchers utilized AI tools to accelerate the reverse-engineering process, significantly reducing the time required to analyze the binary and understand protocol behavior. However, AI did not replace human expertise; critical tasks such as formulating the right questions, validating AI-generated insights, and end-to-end protocol validation remained essential.

The core challenge lay in reconciling the browser's native WebAuthn API with the RDP protocol's requirements. When a user initiates a WebAuthn ceremony on a website within a remote session, the RDP server intercepts the process. The server sends a pre-computed clientDataHash, which includes the page's origin and a challenge. However, the browser's navigator.credentials.create() function insists on generating its own clientDataJSON, embedding the browser extension's origin instead of the actual website's origin. This mismatch leads to a hash discrepancy, causing authentication to fail.

Existing browser APIs were insufficient to bridge this gap. APIs like navigator.credentials and chrome.webAuthenticationProxy were not designed to accept pre-computed hashes or handle the specific redirection required for RDP sessions. The researchers noted that the W3C WebAuthn working group has since begun standardizing a solution for this exact scenario with the remoteClientDataJSON extension, though it is not yet implemented in shipping browsers.

To overcome these limitations, Palo Alto Networks developed a custom browser extension API. This API mirrors the standard navigator.credentials interface but allows the caller to directly supply the clientDataHash. This custom implementation ensures that the authenticator receives the correct hash, enabling successful authentication ceremonies even within the RDP context. The integration leverages Chromium's robust FIDO2 stack, providing support for various authenticator types and transport mechanisms, including USB, BLE, NFC, and platform authenticators like Touch ID and Windows Hello.

This innovation not only enhances the security of RDP sessions by enabling passwordless authentication but also positions Prisma Browser's RDP client as a superior alternative to traditional thick applications. By extending modern authentication standards to legacy protocols, Palo Alto Networks is paving the way for more secure and user-friendly remote access solutions.

The successful integration of WebAuthn into a browser-based RDP client represents a significant step forward in securing remote access. It demonstrates the feasibility of adapting cutting-edge authentication methods to established protocols, addressing critical security gaps and improving the user experience by enabling convenient and secure passwordless logins.

Synthesized by Vypr AI