6.5 Interoperability for IDEMIA smart cards
This section contains information about any considerations for using these smart card with other systems.
6.5.1 Unlocking IDEMIA PIV cards
IDEMIA and Oberthur ID-One PIV cards include a PIV applet, which means that you can use the MyID Card Utility to carry out a remote challenge/response unlock operation and change the user PIN, and the unlock credential provider to unlock the devices from the Windows logon screen.
See section 2.12, Unlocking smart cards that have a PIV applet.
-
IKB-284 – Cannot use the unlock credential provider with IDEMIA cards manufactured for SPE
It is not currently possible to unlock an IDEMIA PIV card that has been manufactured to require Secure Pin Entry (BAP#087483 – ID-One PIV 2.4 on Cosmo v8.1 SPE).
6.5.2 PIN policy settings
MyID allows you to set various policies for PINs using the settings in the credential profile. MyID enforces these settings for any operations carried out by MyID. For some smart cards, some or all of these settings are applied directly to the card, which means that the settings will also be enforced by third-party tools and utilities.
The following settings are supported for on-card PIN policy settings:
|
|
Smart card |
|---|---|
|
PIN Setting |
IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 |
|
Maximum PIN Length |
|
|
Minimum PIN Length |
|
|
Repeated Characters Allowed |
|
|
Sequential Characters Allowed |
|
|
Logon Attempts |
Y |
|
PIN Inactivity Timer |
|
|
PIN History |
|
|
Lowercase PIN Characters |
|
|
Uppercase PIN Characters |
|
|
Numeric PIN Characters |
|
|
Symbol PIN Characters |
|
|
Lifetime |
|
- Y – Supported.
- blank – Not supported.
6.5.3 Logon attempts
The number of attempts to log on to a card before it is locked may be set by the manufacturer according to the BAP and may not be configurable through MyID, depending on the smart card being used. For example, if you set the number of logon attempts to 5, the following cards lock after the listed number of attempts, ignoring the value set in MyID:
- Oberthur ID-One PIV (v2.3.2) (Type A) Large D – 10 attempts.
- Oberthur ID-One PIV (v2.3.4) – 10 attempts.
- Oberthur ID-One PIV (v2.3.5) – 10 attempts.
- Oberthur ID-One PIV (v2.4.0) – 10 attempts.
The Logon Attempts option in the credential profile is encoded as the PIN try counter for the following:
- IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1
This means that you can configure the number of logon attempts through MyID for this smart card.
Note: It is a feature of PIV cards that PIN attempts that are too short (for example, four digits) are rejected without being sent to the smart card, and therefore do not count towards the number of PIN attempts. Only PIN attempts that provide six or more digits are counted towards the number of attempts.
6.5.4 Card readers
Oberthur ID-One PIV (v2.3.5), Oberthur ID-One PIV (v2.4.0) cards, and IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 cards have been found to have interoperability problems with SCR331 card readers.
6.5.5 Windows logon using Oberthur ID-One PIV (v2.4.0) or IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 cards
If you want to use Oberthur ID-One PIV (v2.4.0) or IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 cards to log on to Windows, you must install the minidriver for PIV cards. The recommended versions are:
- Oberthur ID-One PIV (v2.4.0) – Oberthur minidriver for PIV cards version 1.1.3.1025.
- IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 (including SPE smart cards) – IDEMIA minidriver for PIV cards version 1.2.3.279.
This minidriver is used only for Windows logon – you do not need to install the minidriver to use the cards with MyID.
6.5.6 Additional identities and PIV cards
You cannot use the additional identities feature of MyID with any smart card that has a PIV applet. This includes all Oberthur/IDEMIA ID-One PIV smart cards.