2.3 Recommended deployment configuration

Before deploying MyID with Intel Authenticate, Administrators should consider which users will be able to use this capability, as it is limited to compatible hardware only.

2.3.1 Deploying Intel Authenticate software

Intel Authenticate software must be installed alongside Intercede MyID clients to provide a streamlined issuance process.

• The Intel installation procedure creates an additional virtual smart card which will not be associated with a certificate – this may lead to authentication based on password only. Uninstall this VSC through Device Manager before you create any Intel Authenticate VSCs through MyID.
• It is recommended that the Intel Authenticate policy file is not deployed until users have been confirmed as requiring use of the feature, as it will trigger the factor enrollment process. This step should align with a request for the credential profile in MyID (see section 4.4, Creating the credential profile). Intel provide group policy scripts to install the policy file.
• Collection of certificates takes place using the MyID Self-Service App. Intercede recommends that scripts are used to manage this process, allowing a simpler process that works after the Intel Authenticate enrollment completes. For further details, see section 5.2, Collecting Intel Authenticate VSCs.

2.3.2 Associating certificates to Intel Authenticate policies

Earlier versions of Intel Authenticate used Windows registry settings to associate a certificate to an Intel Authenticate action for OSLogin. This has now been replaced with a new mechanism that uses a certificate template name to provide the link to an Intel Authenticate policy. To integrate MyID with this feature, Intel Authenticate version 3.8 or later is required.

For earlier versions of Intel Authenticate, support is limited to the OSLogin action only; the settings are the same as Intel Authenticate 3.8 (see section 2.3.3, Intel Authenticate policy settings) with the exception that you do not enter the "Certificate template name".

2.3.3 Intel Authenticate policy settings

Note: This feature requires Intel Authenticate version 3.8 or later.

The settings in the policy determine what actions are protected by Intel Authenticate, and the factors required to use them. The policy also controls how the Windows password is used during authentication processes.

MyID is used with Intel Authenticate to issue managed certificates for authentication, therefore it is important to ensure that the settings within the Intel Authenticate policy do not contradict or undermine certificate-based authentication.

Full instructions for configuring Intel Authenticate policy files are provided with the Intel Authenticate software. The following settings are expected to be used when MyID is providing certificate issuance for Intel Authenticate.

Note: The OSLogin settings listed below are a recommendation. For more information about setting up OSLogin, or for information about setting up other actions, see the documentation provided by Intel.

• Actions name: OSLogin

  The OSLogin action supports certificate-based authentication. A custom configuration can also be provided, but such configuration does not provide the option to block users from using their Windows password for log-in.

• Advanced Settings

  • Block the user from using their Windows password to log in.

    Enable this setting. This prevents the user from entering their Windows password.

  • Use certificates for authentication.

    Enable this setting to complete the login process using a certificate. If this is not set, Intel Authenticate will continue to use the Windows password.

  • Certificate template name.

    Set this to the name of the certificate policy issued through MyID.

  • Certification Authority URL.

    Leave blank. This setting is not required when issuing the certificate through MyID.

  • Certificate will be managed through Intel Authenticate.

    Do not check this option. Enabling this option causes Intel Authenticate to automatically issue a managed certificate for this action.

  • Certificate enrollment does not require user to authenticate.

    Enable this option to enroll a certificate silently. When not set, the user is asked to confirm the enrolled PIN when issuing the certificate.

    Important: Enabling this option will result in an error on attempt to collect an Intel Authenticate VSC if the user has not enrolled their protected PIN prior to attempting to issuing the Intel Authenticate VSC through MyID.

    The following shows an example OSLogin policy configuration for use with MyID.