This section contains information about any considerations for using these smart card with other systems.
The number of attempts to log on to a card before it is locked may be set by the manufacturer according to the BAP and may not be configurable through MyID. For example, if you set the number of logon attempts to 5, the following cards lock after the listed number of attempts:
Note: It is a feature of PIV cards that PIN attempts that are too short (for example, four digits) are rejected without being sent to the smart card, and therefore do not count towards the number of PIN attempts. Only PIN attempts that provide six or more digits are counted towards the number of attempts.
Oberthur ID-One PIV (v2.3.5), Oberthur ID-One PIV (v2.4.0) cards, and IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 cards have been found to have interoperability problems with SCR331 card readers.
If you want to use Oberthur ID-One PIV (v2.4.0) or IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 cards to log on to Windows, you must install the minidriver for PIV cards. The recommended versions are:
This minidriver is used only for Windows logon – you do not need to install the minidriver to use the cards with MyID.
OPACITY Secure PIN Entry (SPE) requires that whenever a PIN or PUK is sent in an APDU (Application Protocol Data Unit) command to a smart card, it is sent using an encrypted secure channel.
Important: To issue smart cards that are manufactured to use SPE, you must set up the credential profile to use OPACITY; if you attempt to issue an SPE card with a credential profile that is not set up to use OPACITY, issuance of the card will fail. An error with number -2147220720 may appear; the audit may contain the message Not logged into card for the failure. See section 2.11, Setting up OPACITY for details of setting up your credential profile.
Note: Smart cards that are manufactured to use SPE are not PIV compliant.
This feature is supported within MyID on IDEMIA smart cards that have this capability. Currently, this includes the following:
You can confirm whether a card has been issued with support for OPACITY Secure PIN Entry (SPE) by using the Identify Card workflow. The Chip Type displayed in the workflow includes "SPE" if the card requires OPACITY Secure PIN Entry.
If you want to use cards manufactured to different specifications for SPE with MyID, contact your Intercede account manager to discuss your requirements.
Note: SPE-EP (Secure PIN Entry – Enhanced Privacy) is not supported.
OPACITY personalization is supported for IDEMIA PIV cards when using a smart card reader that supports Extended APDU; for example, OmniKey 5x21 or OmniKey 5x25.
Only OPACITY personalization requires these readers; other operations are not restricted.
You cannot use the additional identities feature of MyID with any smart card that has a PIV applet. This includes all Oberthur/IDEMIA ID-One PIV smart cards.