5.4 Lifecycle management of a VSC
Once VSCs have been deployed, consideration needs to be given to the management of the VSCs. MyID offers a range of features to assist with this.
5.4.1 Logical access control
The certificates within the VSC can be disabled, enabled or revoked. Systems that use certificates for access control or signing should check the revocation status to ensure that use of the certificate is still permitted.
MyID can change the status of the certificate in the following situations:
- The user account is disabled or enabled in MyID (including actions occurring following synchronization to a directory)
- The VSC is disabled or enabled in MyID (this can also be triggered by using the Active credential profiles per person configuration option in MyID).
- The VSC is canceled in MyID.
- A request for a replacement VSC is created in MyID, causing cancellation of the original VSC.
All of these scenarios can be triggered by MyID Desktop or an external system using the Lifecycle API.
5.4.2 PIN management
It is common for users to forget, or mistype, PINs resulting in the VSC becoming unusable. The TPM anti-hammering mechanism will protect the device from dictionary attacks, by limiting the number of attempts at PIN entry when repeated attempts are made.
There are differences between how PINs are handled, and also the behavior of the TPM Anti-hammering mechanism between versions of Windows operating systems and different manufacturers TPMs, so any organization deploying VSCs should check the devices being used and ensure that support processes are defined for each combination.
MyID’s PIN locking functionality will not work as with standard smart cards. For example, this means that you cannot use lock at issuance feature.
|
Feature |
Supported? |
|---|---|
|
Lock VSC PIN from Windows1 |
Yes |
|
Changing the VSC PIN from MyID |
Yes |
|
Reset VSC PIN from MyID |
Yes |
|
Remote Unlock PIN from MyID |
Yes |
|
Unblock TPM from MyID |
No |
5.4.3 Changing the VSC PIN from MyID
On a Windows device, the simplest approach to managing PIN changes is to allow the user to access the Windows built-in capability. You can access this feature using the ctrl‑alt-del key combination in Windows. The original PIN must be entered and accepted before allowing the new PIN to be set.
Alternatively, MyID provides a Reset Card PIN workflow that you can use if the Windows feature is restricted within your environment. This will require authentication to MyID first, which can be achieved using the VSC, a separate smart card, pre-registered security questions, or Integrated Windows Logon.
5.4.4 Resetting the VSC PIN from MyID
If the user can log on to Windows with alternative credentials, then MyID can provide a self-service unlocking capability. Using a physical smart card, Integrated Windows Logon, an authentication code issued by MyID or a pre-registered security question, the MyID Desktop user interface can be used to unlock the VSC user PIN and set a new PIN.
This feature operates in the same way for VSCs as for physical smart cards. For further details of the Reset PIN workflow, see the Unlocking cards and resetting PINs section in the Operator's Guide.
5.4.5 Remotely unlocking the VSC PIN from MyID
Where the user is not able to access Windows, a challenge response mechanism can be used to unlock the PIN of the VSC. The procedure requires the end user to be able to communicate with a helpdesk operator, who will use MyID to generate an unlock code.
The helpdesk operator will use MyID Desktop to access the Unlock Credential workflow. Once the user’s identity is confirmed MyID will request the challenge code generated by the device holding the VSC.
The user will access the “Integrated Unblock” feature of Windows logon page, which will generate a challenge code. The user provides the challenge code to the helpdesk operator. To use this feature, the Windows group policy setting “Allow Integrated Unblock screen to be displayed at the time of logon” must be enabled.
MyID will generate a response code which is displayed in the MyID user interface. This can be entered to the user’s device, which once validated on the device will allow a new PIN to be set by the user.
You must set the following in the Computer Configuration\Administrative Templates\Windows Components\Smart Card group policy:
- Allow Integrated Unblock screen to be displayed at the time of logon – set to Enabled.
- Display string when smart card is blocked – set to a message you want to appear when the VSC is locked. For example, LOCKED.
To unlock a VSC remotely, using MyID, use the Unlock Credential workflow. For information on using this workflow, see the
Unlocking a credential remotely section in the Operator's Guide.