Support for authentication using FIDO2

September 15, 2022

Support for authentication using FIDO2


    Now Available
Citrix Workspace app - Linux

Within an HDX session, users can authenticate using password-less FIDO2 security keys. FIDO2 security keys provide a seamless way for enterprise employees to authenticate to virtual apps or desktops that support FIDO2 without entering a user name or password. For more information about FIDO2, see FIDO2 Authentication.


If you’re using the FIDO2 device through USB redirection, remove the USB redirection rule of your FIDO2 device from the usb.conf file in the $ICAROOT/ folder. This update helps you to switch to the FIDO2 virtual channel.

By default, FIDO2 authentication is disabled. To enable FIDO2 authentication, do the following:

  1. Navigate to the <ICAROOT>/config/module.ini file.
  2. Go to the ICA 3.0 section.
  3. Set FIDO2= On.

This feature currently supports roaming authenticators (USB only) with PIN code and touch capabilities. You can configure FIDO2 Security Keys based authentication. For information about the prerequisites and using this feature, see Local authorization and virtual authentication using FIDO2.

When you access an app or a website that supports FIDO2, a prompt appears, requesting access to the security key. If you’ve previously registered your security key with a PIN (a minimum of 4 and a maximum of 64 characters), then you must enter the PIN while signing in.

If you’ve registered your security key previously without a PIN, simply touch the security key to sign in.


You might fail to register the second device to a same account using FIDO2 authentication.

This feature is available in version 2303 and later.