Overview

To provide two-factor authentication, most smart card operations are PIN-protected – users need to have the card, and know the card PIN, in order to use the card.

Some smart card middleware leave the card open after a PIN entry, meaning that any application can then use the card without the user entering the PIN again. This provides a high level of usability (only one PIN entry is required until the card is removed from the reader), but lacks in terms of security. For example, a virus or Trojan horse could use the card to perform an authentication to a secure site, or sign a financial transaction, or decrypt sensitive documents – without the user’s consent or even knowledge. Non-repudiation cannot be guaranteed.

Other middleware might 'close' the card after each operation, meaning that once the user has entered the PIN and the card operation has been performed (for example, an authentication to a secure site), the card is closed. The user will need to enter the PIN again for the next card operation (such as, access to another site, sign a transaction, etc). As some functional operations require several actual card operations (for example, a Windows smart card logon requires four digital signatures), this can easily lead to repeated PIN prompts, causing user frustration. This model is very secure, but highly inconvenient to the user.

ActivClient PIN cache has been designed to address these two concerns:

  • The PIN authentication status is reset (that is, the card is closed) after the user has authenticated to the card with the PIN, the PIN entry could be in ActivClient user interface or in a third-party interface (such as Windows Logon or Firefox).

  • The PIN value is cached securely by ActivClient until the user logs off, the workstation is locked, the workstation shuts down, the card is removed, or the PIN cache timeout is reached.

  • ActivClient seamlessly re-authenticates to the card using the cached PIN before each PIN protected operation.

  • The PIN authentication status is reset (that is, the card is closed) after each PIN protected operation.

  • ActivClient PIN cache includes policies to further customize whether the PIN cache will submit the PIN seamlessly to applications, or whether it will request the user to enter the PIN – this enables a more granular control of the PIN prompts.

The following sections provide more detailed information on the PIN Caching Service policy, compared to the corresponding section PIN Caching.