PIN Caching

ActivClient provides advanced Card Authentication Management, which defines how you can use PIN-protected services on the card, such as the RSA private keys.

This involves the use of a PIN Caching service, that is flexible and that you can configure with a variety of settings, ranging from very easy-to-use to more complex secure settings.

For a full description of the ActivClient PIN Caching service, see PIN Caching Service.

The following sections detail the PIN Caching Service policy settings:

Important:

Restart the Workstation

For the PIN Caching policy changes to be applied, you must restart the workstation.

Allow per-process PIN caching

Description:

Defines if the PIN cache is shared between Microsoft Windows processes.

If this setting is not configured or disabled, then all processes running in the same session share the same PIN cache.

Allow PIN sharing when a ASR Rule is configured

Description:

Defines if the PIN cache is shared between Microsoft Windows system processes.

When user configures to enable ASR rule under "Windows Defender Exploit Guard" to "Block credential stealing from the Windows local security authority subsystem (lsass.exe)", Enable this GPO to Allow system processes to share the PIN Cache.

If this setting is not configured or disabled, the system processes cannot share the PIN Cache.

Disable PIN cache clearance on workstation lock

Description:

Disables the clearance of the PIN cache when the workstation is locked.

If this setting is not configured or disabled, then the PIN is cleared from the cache when the workstation is locked.

Disabling PIN cache clearance when the workstation is locked lowers the smart card deployment security.

Enable PIN caching for "PIN Always" private keys

Description:

Defines if the PIN cache is applicable for operations with a private key configured for "PIN Always".

If enabled with the PIN Cache Type - User Acknowledgement, a confirmation dialog guarantees non-repudiation for these operations.

If enabled and the selected PIN Cache Type is Full Caching, then PIN entry is automatic without user action (not compliant with FIPS 201).

If this setting is enabled, per-process PIN caching is recommended for improved security and for FIPS 201 compliance.

Note: The User Acknowledgement option complies with NISTIR 7863.

Exclude Executables from ActivClient PIN cache

Description:

List of executables excluded from ActivClient PIN cache use (applicable to CAPI/CNG-based executables).

Possible Values:

  • Not Configured

  • Enabled – allows to add the list of applications for which PIN caching should be excluded.

  • Disabled

Note: To avoid Microsoft Outlook crash while decrypting e-mail when the Microsoft AIP (Azure Information Protection) is enabled, you can add Outlook.exe to the list of applications.

Number of minutes before PIN cache is cleared

Description:

Defines the number of minutes before the PIN cache is cleared. The default value is 15.

If this value is set to 9999, the PIN cache timeout is infinite. This means that PIN cache is cleared at log off or shutdown or session disconnect or card removal or workstation lock (depending on the Disable PIN cache clearance on workstation lock setting).

If this setting is disabled or not configured, the default value is used.

Possible Values:

  • Not Configured

  • Enabled – displays the default value, 15, and can be updated

  • Disabled

Enable logging for ActivClient PIN cache use

Description:

Enables the creation of entries in the Microsoft Windows Event Viewer for ActivClient PIN cache use (PIN set, removed). This is used to troubleshoot potential PIN caching issues.

If this setting is disabled or not configured, then ActivClient PIN cache use events are not logged.

Possible Values:

  • Not Configured

  • Enabled – PIN cache use events are logged.

  • Disabled