5.5 Interoperability for IDEMIA smart cards

This section contains information about any considerations for using these smart card with other systems.

5.5.1 Unlocking IDEMIA PIV cards

IDEMIA and Oberthur ID-One PIV cards include a PIV applet, which means that you can use the MyID Card Utility to carry out a remote challenge/response unlock operation and change the user PIN, and the unlock credential provider to unlock the devices from the Windows logon screen.

See section 2.13, Unlocking smart cards that have a PIV applet.

5.5.2 PIN policy settings

MyID allows you to set various policies for PINs using the settings in the credential profile. MyID enforces these settings for any operations carried out by MyID. For some smart cards, some or all of these settings are applied directly to the card, which means that the settings will also be enforced by third-party tools and utilities.

The following settings are supported for on-card PIN policy settings:

 

Smart card

Smart card

PIN Setting

IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1

IDEMIA ID-One PIV 2.4.2 on Cosmo V8.2

Maximum PIN Length

 

 

Minimum PIN Length

 

 

Repeated Characters Allowed

 

 

Sequential Characters Allowed

 

 

Logon Attempts

Y

Y

PIN Inactivity Timer

 

 

PIN History

 

 

Lowercase PIN Characters

 

 

Uppercase PIN Characters

 

 

Numeric PIN Characters

 

 

Symbol PIN Characters

 

 

Lifetime

 

 

5.5.3 Logon attempts

The number of attempts to log on to a card before it is locked may be set by the manufacturer according to the BAP and may not be configurable through MyID, depending on the smart card being used. For example, if you set the number of logon attempts to 5, the following cards lock after the listed number of attempts, ignoring the value set in MyID:

The Logon Attempts option in the credential profile is encoded as the PIN try counter for the following:

This means that you can configure the number of logon attempts through MyID for this smart card.

Note: It is a feature of PIV cards that PIN attempts that are too short (for example, four digits) are rejected without being sent to the smart card, and therefore do not count towards the number of PIN attempts. Only PIN attempts that provide six or more digits are counted towards the number of attempts.

5.5.4 Card readers

Oberthur ID-One PIV (v2.3.5), Oberthur ID-One PIV (v2.4.0) cards, and IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 cards have been found to have interoperability problems with SCR331 card readers. You may also experience problems with IDEMIA ID-One PIV 2.4.2 on Cosmo V8.2 cards.

5.5.5 Windows logon using Oberthur ID-One PIV (v2.4.0), IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1, or IDEMIA ID-One PIV 2.4.2 on Cosmo V8.2 cards

If you want to use Oberthur ID-One PIV (v2.4.0), IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1, or IDEMIA ID-One PIV 2.4.2 on Cosmo V8.2 cards to log on to Windows, you must install the minidriver for PIV cards. The versions that have been verified are:

This minidriver is used only for Windows logon – you do not need to install the minidriver to use the cards with MyID.

5.5.6 OPACITY Secure PIN Entry support

OPACITY Secure PIN Entry (SPE) requires that whenever a PIN or PUK is sent in an APDU (Application Protocol Data Unit) command to a smart card, it is sent using an encrypted secure channel.

Important: To issue smart cards that are manufactured to use SPE, you must set up the credential profile to use OPACITY; if you attempt to issue an SPE card with a credential profile that is not set up to use OPACITY, issuance of the card will fail. An error with number -2147220720 may appear; the audit may contain the message Not logged into card for the failure. See section 2.11, Setting up OPACITY for details of setting up your credential profile.

Note: Smart cards that are manufactured to use SPE are not PIV compliant.

This feature is supported within MyID on IDEMIA smart cards that have this capability. Currently, this includes the following:

You can confirm whether a card has been issued with support for OPACITY Secure PIN Entry (SPE) by using the Identify Card workflow. The Chip Type displayed in the workflow includes "SPE" if the card requires OPACITY Secure PIN Entry.

If you want to use cards manufactured to different specifications for SPE with MyID, contact your Intercede account manager to discuss your requirements.

Note: SPE-EP (Secure PIN Entry – Enhanced Privacy) is not supported.

5.5.7 Smart card readers supported for OPACITY

OPACITY personalization is supported for IDEMIA PIV cards when using a smart card reader that supports Extended APDU; for example, OmniKey 5x21 or OmniKey 5x25.

Only OPACITY personalization requires these readers; other operations are not restricted.

5.5.8 Additional identities for IDEMIA PIV cards

MyID has been tested issuing additional identities to IDEMIA PIV cards using the IDEMIA minidriver v1.28.

For more information, see the Additional identities on devices with PIV applets section in the Administration Guide.

5.5.9 Global PIN support

PIV cards support only numeric PINs for their user PINs. If you want to use alphanumeric PINs, your smart card must support Global PINs; this is an alternative PIN that can allow a wider range of characters, if the smart card has been manufactured to a custom specification that allows this. When you issue a smart card with Global PIN enabled, the user PIN and the user PUK (Personal Unblocking Key) are disabled, and the Global PIN and Global PUK are used instead.

Note: You cannot use the MyID Card Utility or the Unlock Credential Provider to unlock devices with Global PINs.

To issue a smart card with a Global PIN, you must enable the Use Global PIN option in the PIN Settings section of the Credential Profiles workflow.

This feature is supported within MyID on IDEMIA smart cards that have this capability. Currently, this includes the following: