| |
|
|
 |
BIIM Support |
 |
|
|
|
|
|
BioCert® Intelligent Identity Manager Support
Smart Cards and Tokens
A smart card is a plastic card about the size of a credit
card with an embedded microchip that can be loaded with
information. Smart cards provide protection of information and
authentication for individual users. Logging on to a network
with a smart card can provide a strong form of authentication
when it uses cryptography-based identification and proof of
possession when authenticating a user to a domain.
For example, if a malicious person obtains a user's password,
that person can assume the user identity on the network simply
through use of the password. Many people choose passwords they
can remember easily, which makes passwords inherently weak and
open to attack.
In the case of smart cards, that same malicious person would
have to obtain both the user's smart card and the personal
identification number (PIN) to impersonate the user. This
combination makes an attack less likely because an additional
layer of information is needed to impersonate a user. An
additional benefit is that a smart card is locked after the PIN
is entered incorrectly several times in a row, making a
dictionary attack against a smart card extremely difficult.
USB token and Virtual token provide
functionality similar to smart card. BioCert® Identity can
support any of these devices for authentication and as a user
identity storage.
The following topic sections provide additional information
about BioCert® Identity smart cards and tokens functions:
About Identity Storage
A smart card is a credit card-sized device you can use
for storing sign-in passwords, public and private keys, and
other personal information. Smart cards provide
tamper-resistant and portable security solutions for tasks
such as securing e-mail and logging on to a domain when
linked to a Public Key Infrastructure (PKI).
Smart cards provide:
- Tamper-resistant storage for protecting private keys
and other forms of personal information
- Isolation of security-critical computations
involving authentication, digital signatures, and key
exchange
- A way to take logon information and other private
information with you for use on computers at work, home,
or on the road
USB Tokens
A USB token is simply a smart card in a different form
factor. Rather than deploying the smart chip on a plastic
credit platform, the smart chip is inserted into a plastic
token, also known as a key. The major difference between a
smart card and a token is in the access interface. A card
requires a reader, while a token plugs directly into any USB
port. There is no difference in the core functionality of
storing and providing credentials.
A USB token is used for strong authentication. It
provides enhanced security and ensures safe information
access.
Virtual Tokens
A virtual token represents the software emulation of
hardware token such as a smart card or USB token. The
software token can be stored either in the Windows registry
database or in a file and includes the token's location on a
hard drive, diskette, USB drive, and so on.
Configuring Smart Cards and Tokens
Configuring Smart Cards and Tokens authentication
Authentication method settings include:
- Asymmetrical encryption keys length and
cryptographic algorithms
- Permission to register several tokens per user
To configure the authentication method settings:
- In BioCert® Identity, select
Authentication and Credentials.
- Select Credentials tab.
- In the list of authentication methods, select
the desired authentication method, then click
Properties. The Method
Authentication Properties dialog box is
displayed.
- Configure the desired settings, and then click
OK to save the changes.
Configuring Smart Cards and Tokens service
The following groups of Smart Cards and Tokens
service settings may be specified:
- General Settings - Allow or deny modifying token
parameters during registration, change Master PIN,
create new virtual token and so on.
- System response when smart card or token is
inserted
- System response when smart card or token is
removed
To configure Smart Cards and Tokens service settings:
- In BioCert® Identity, select
Settings.
- Select Services and Applications
tab.
- In Select category drop-down
list, select the user category to which the settings
to be configured.
- In the list of services, select Smart
Cards and Tokens Service and then click
Properties. The Service
Settings dialog box is displayed.
- Configure the desired settings, and then click
OK to save the changes.
Registering Smart Cards or Tokens
To register a smart card or USB token:
- In BioCert® Identity,
select My Identity.
- Select Register Smart Card or Token.
The Token Registration Wizard is displayed.
- On the Device Type dialog
box, select the desired type of device, and then
click Next. Select
Token dialog box is displayed.
- If a smart card or USB token was selected as
the device type, make sure that smart card is
inserted or the token is connected to
a USB port.
Note
If the smart card is not inserted or the USB
token is not connected, the Next
button is disabled in Select Token
dialog box.
On the Device Type dialog
box, click Next. Token
Properties dialog box is displayed.
- Type the User PIN, and then click
Finish to complete the operation.
To register a virtual token:
- In BioCert® Identity,
select My Identity.
- Select Register Smart Card or Token.
The Token Registration Wizard is displayed.
- On the Device Type dialog
box, select Virtual Token as
device type, and then click Next.
Virtual Token Name and Location
dialog box is displayed.
- Specify the token name and location. A new
virtual token can be stored either in a file or
in the Windows registry database. Click
Next to continue.
- On the Token Properties
dialog box, specify the Master PIN and User PIN
for the newly created virtual token, and then
click Finish to complete the
operation.
Note
The system allows to register several different
tokens for every supported device type.
Using Smart Cards and Tokens
Logging on to BioCert® Identity using smart card
or token
To log on to BioCert® Identity using a smart cart or
token:
- Launch the BioCert® Logon Wizard.
- On the Introduce Yourself
screen, type the user name, and then click
Next.
- On the Logon Policy screen,
select the Smart Card
authentication method, and then click Next.
Note
In accordance with the authentication device type,
you may select Smart Card,
USB Token, or Virtual Token
on this screen.
If a smart card or USB token was selected as the
device type, make sure that smart card is inserted
or the token is connected to a USB port.
- On the Select a Smart Card (or
Select a USB Token) screen, type
your User PIN, and then click Finish.
After the User PIN is validated, you will be logged
on to BioCert® Identity.
Note
On the Select a Virtual Token
screen, you should select the desired token from the
list prior to typing a User PIN.
Note
If the user PIN is entered correctly, the system
completes the logon process. If the PIN is entered
incorrectly several times in sequence, logon will be
denied using that authentication device (i.e. smart
card or token). The number of allowable invalid
logon attempts that may be entered before lockout
occurs varies with the device manufacturer. Contact
the administrator for assistance in case of locked
out User PIN.
Using identity operations with smart card or token
A user can backup User Identity for migration to
another system or for protection against the system
failure. Smart card, USB token or virtual token can be
used as devices for identity storage. The following
topic sections provide additional information about
Identity Backup/Restore operations:
Changing the Token PIN
A personal identification number (PIN) is any personal
number required to secure your data on a smart card or token
against unauthorized use. It is a good practice to change
the PIN from time to time to ensure maximum confidentiality.
To change the Token PIN, perform the following steps:
- In BioCert® Identity, select
My Identity.
- Select Change Token PIN. The
Change PIN Wizard is displayed.
- On the Device Type dialog box,
select the desired type of device, and then click
Next.
- On the Select Token dialog box,
select the token for which you want to change the PIN,
and then click Next.
- On the User PIN dialog box, type
the old PIN and the new PIN twice to confirm, and then
click Finish to complete the operation.
Note
If you enter the incorrect PIN for the token several times
in sequence, the token gets locked out. You will be unable
to use this token until you unlock it.
Unlocking Smart Cards and Tokens
Multiple incorrect presentation of the User PIN may cause
a smart card or token to become locked, after which the user
cannot use it for any authentication or data storage
purposes until the secure device is unlocked.
To unlock a smart card or token:
- In BioCert® Identity, select
Settings.
- Select Smart Cards and Tokens tab.
- Expand the appropriate group of local tokens (smart
cards, USB tokens, and so on), and then right-click the
token to be unlocked.
- From the pop-up menu, select Unlock User PIN.
The Unlock User PIN dialog is
displayed.
- Type the Master PIN and User PIN, and then click
OK to complete the operation.
Note
You must know the Master PIN to perform the unlocking
operation. The User PIN can be changed during the unlocking
process.
Smart Cards and Tokens Troubleshooting
Smart cards and USB tokens are not available in BioCert®
Identity if installed after the BioCert® Identity
installation
In order to use smart cards or USB tokens in BioCert®
Identity, the supporting software (drivers, PKCS#11
providers, etc.) must be installed prior to BioCert®
Identity installation. If you already have the BioCert®
Identity installed do the following steps after installing
smart card or token supporting software:
- In BioCert® Identity, select
Settings, and then select Smart
Cards and Tokens. A list of available tokens is
displayed under Local Tokens.
- Right-click Local Tokens, on
context menu select Scan for New Smart Cards and
Tokens.
- Restart your computer if prompted.
|
|
View
Cart
