8 Hardening Configuration

8.1 Visibility of user data

MyID has a feature for showing the name and photograph of the user during the MyID Desktop or MyID Operator Client logon process; that is, when you insert a smart card.

Since this occurs before successful authentication, an attacker could attempt to use this feature to harvest names and photographs of users of the system. By default, this feature is not enabled.

8.1.1 Implementation

For production environments, ensure this feature is disabled:

  1. Within MyID, from the Configuration category, select Security Settings.
  2. On the Logon tab, set the following options:

    • Show Full Name at Logon – ensure this option is set to No.
    • Show Photo at Logon – ensure this option is set to No.
  3. Click Save changes.