5.5 Interoperability for IDEMIA smart cards
This section contains information about any considerations for using these smart card with other systems.
5.5.1 Unlocking IDEMIA PIV cards
IDEMIA and Oberthur ID-One PIV cards include a PIV applet, which means that you can use the MyID Card Utility to carry out a remote challenge/response unlock operation and change the user PIN, and the unlock credential provider to unlock the devices from the Windows logon screen.
See section 2.12, Unlocking smart cards that have a PIV applet.
-
IKB-284 – Cannot use the unlock credential provider with IDEMIA cards manufactured for SPE
It is not currently possible to unlock an IDEMIA PIV card that has been manufactured to require Secure Pin Entry (BAP#087483 – ID-One PIV 2.4 on Cosmo v8.1 SPE).
5.5.2 PIN policy settings
MyID allows you to set various policies for PINs using the settings in the credential profile. MyID enforces these settings for any operations carried out by MyID. For some smart cards, some or all of these settings are applied directly to the card, which means that the settings will also be enforced by third-party tools and utilities.
The following settings are supported for on-card PIN policy settings:
|
|
Smart card |
|---|---|
|
PIN Setting |
IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 |
|
Maximum PIN Length |
|
|
Minimum PIN Length |
|
|
Repeated Characters Allowed |
|
|
Sequential Characters Allowed |
|
|
Logon Attempts |
Y |
|
PIN Inactivity Timer |
|
|
PIN History |
|
|
Lowercase PIN Characters |
|
|
Uppercase PIN Characters |
|
|
Numeric PIN Characters |
|
|
Symbol PIN Characters |
|
|
Lifetime |
|
- Y – Supported.
- blank – Not supported.
5.5.3 Logon attempts
The number of attempts to log on to a card before it is locked may be set by the manufacturer according to the BAP and may not be configurable through MyID, depending on the smart card being used. For example, if you set the number of logon attempts to 5, the following cards lock after the listed number of attempts, ignoring the value set in MyID:
- Oberthur ID-One PIV (v2.3.2) (Type A) Large D – 10 attempts.
- Oberthur ID-One PIV (v2.3.4) – 10 attempts.
- Oberthur ID-One PIV (v2.3.5) – 10 attempts.
- Oberthur ID-One PIV (v2.4.0) – 10 attempts.
The Logon Attempts option in the credential profile is encoded as the PIN try counter for the following:
- IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1
This means that you can configure the number of logon attempts through MyID for this smart card.
Note: It is a feature of PIV cards that PIN attempts that are too short (for example, four digits) are rejected without being sent to the smart card, and therefore do not count towards the number of PIN attempts. Only PIN attempts that provide six or more digits are counted towards the number of attempts.
5.5.4 Card readers
Oberthur ID-One PIV (v2.3.5), Oberthur ID-One PIV (v2.4.0) cards, and IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 cards have been found to have interoperability problems with SCR331 card readers.
5.5.5 Windows logon using Oberthur ID-One PIV (v2.4.0) or IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 cards
If you want to use Oberthur ID-One PIV (v2.4.0) or IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 cards to log on to Windows, you must install the minidriver for PIV cards. The recommended versions are:
- Oberthur ID-One PIV (v2.4.0) – Oberthur minidriver for PIV cards version 1.1.3.1025.
- IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 (including SPE smart cards) – IDEMIA minidriver for PIV cards version 1.2.3.279.
This minidriver is used only for Windows logon – you do not need to install the minidriver to use the cards with MyID.
5.5.6 OPACITY Secure PIN Entry support
OPACITY Secure PIN Entry (SPE) requires that whenever a PIN or PUK is sent in an APDU (Application Protocol Data Unit) command to a smart card, it is sent using an encrypted secure channel.
Important: To issue smart cards that are manufactured to use SPE, you must set up the credential profile to use OPACITY; if you attempt to issue an SPE card with a credential profile that is not set up to use OPACITY, issuance of the card will fail. An error with number -2147220720 may appear; the audit may contain the message Not logged into card for the failure. See section 2.11, Setting up OPACITY for details of setting up your credential profile.
Note: Smart cards that are manufactured to use SPE are not PIV compliant.
This feature is supported within MyID on IDEMIA smart cards that have this capability. Currently, this includes the following:
- IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 smart cards, manufactured to BAP#087483 – ID-One PIV 2.4 on Cosmo v8.1 SPE.
You can confirm whether a card has been issued with support for OPACITY Secure PIN Entry (SPE) by using the Identify Card workflow. The Chip Type displayed in the workflow includes "SPE" if the card requires OPACITY Secure PIN Entry.
If you want to use cards manufactured to different specifications for SPE with MyID, contact your Intercede account manager to discuss your requirements.
Note: SPE-EP (Secure PIN Entry – Enhanced Privacy) is not supported.
5.5.7 Smart card readers supported for OPACITY
OPACITY personalization is supported for IDEMIA PIV cards when using a smart card reader that supports Extended APDU; for example, OmniKey 5x21 or OmniKey 5x25.
Only OPACITY personalization requires these readers; other operations are not restricted.
5.5.8 Additional identities and PIV cards
You cannot use the additional identities feature of MyID with any smart card that has a PIV applet. This includes all Oberthur/IDEMIA ID-One PIV smart cards.