Smart Card Services and Profiles
This section describes how the services offered by ActivClient (initialization, unlock and reset) vary depending on the smart card profile. ActivClient supports the following smart card initialization and management modes.
Standalone Mode
In this mode:
-
Smart cards are delivered with applets configured with a default ‘standalone’ profile.
-
Smart cards are initialized (that is, PIN definition) using the ActivClient PIN Initialization Tool, or simply on smart card insertion. A (static) unlock code is displayed to users at the end of the initialization process.
-
If the smart card becomes locked with too many incorrect PIN codes, users can (via the User Console or on smart card insertion) unlock their smart card with a static unlock code. This allows users to define a new PIN code while their credentials are preserved on the smart card.
-
Users reset their smart card completely (from the User Console) if they know the PIN or unlock code.
Supported with the following cards:
-
ActivID Smart Card 64 V2 – ActivClient Profile (based on Oberthur CosmopolIC 64K V5.2)
-
ActivID Smart Card 64K V2c – ActivClient Profile (based on Axalto Cyberflex Access 64K v2c)
-
ActivID Smart Card 80K v3.2 – ActivClient Profile (based on Giesecke & Devrient SmartCafe Expert 80K DI v3.2)
-
ActivID Smart Card 144K v3.2 – ActivClient Profile (based on Giesecke & Devrient SmartCafe Expert 144K DI v3.2)
-
ActivID ActivKey V2 64k – ActivClient Profile (based on Axalto Cyberflex Access 64K V1 SM 2.1)
-
ActivID ActivKey SIM 64K – ActivClient Profile (3 options: Axalto Cyberflex Access 64K v2c, Oberthur CosmopolIC 64K V5.2 and Giesecke & Devrient SmartCafe Expert 64K FIPS-1024)
-
HID Global Crescendo C1150
-
HID Global Crescendo C2300 family
-
HID Global Crescendo Key
AAA Server-Managed Mode
When the AAA Server is used for OTP services:
-
Smart cards are delivered with applets configured with a default ‘standalone’ profile.
-
Smart cards are initialized (PIN code and OTP credentials) using the AAA Server Administrator Console or the ActivID Device Initialization Tool.
-
If the smart card becomes locked with too many incorrect PIN codes, users can unlock the smart card with a challenge/response mechanism (from the User Console – users have access to the unlock response either on the phone, or online with the AAA Server Self Help Desk). This allows users to define a new PIN code while their credentials are preserved on the smart card.
-
Users can reset the smart card completely (from the User Console) if they know the PIN or unlock code (challenge/response).
ActivID CMS-Managed Mode
In this mode:
-
Smart cards are delivered without applets.
-
Smart cards are initialized and managed by ActivID CMS (including applet loading and loading of user credentials such as certificates).
-
If the smart card is locked with too many incorrect PIN codes, users can unlock the smart card with one of the following methods:
-
Online with the ActivID CMS User Portal.
-
ActivClient User Console (using a challenge/response mechanism – users have access to the unlock response provided via telephone by their help desk). This method is available only with some device profiles. For further information, refer to the ActivID CMS documentation.
This process allows users to define a new PIN code while their credentials are preserved on the smart card.
-
-
Users can securely update the smart card content (applets and credentials) using the ActivID CMS User Portal.
-
Users can reset the smart card completely using ActivID CMS.
US Department of Defense Common Access Card (CAC) Mode
In this mode:
-
ActivClient uses the DOD Common Access Card in read-only mode for usage operations (PKI services and demographic data), in compliance with the DOD middleware requirements. The Change PIN function is supported.
-
Issuance, card unlock and card update (update of certificate or demographic data) are services provided by the DOD.
Supported with the following CAC models:
-
CAC v2
-
CAC Next Generation NG
-
CAC PIV Endpoint, with the PIV Authentication certificate 'activated' or not for the GSC-IS interface
-
CAC PIV Endpoint with CAC applet 2.7.x
-
Giesecke & Devrient SmartCafe Expert 144K DI v7.0 #3
-
Thales IDCore 3230
For the list of supported card platforms, see Smart Cards and USB Tokens.
When the US Department of Defense configuration feature is installed, ActivClient uses the cards in GSC-IS compliant mode; otherwise, ActivClient uses the cards in PIV-compliant mode.
US Government PIV Mode
This mode refers to:
-
PIV and PIV-I (PIV interoperable) cards compliant with NIST Special Publication 800-73-4
-
CIV (Commercial Identity Verification) and PIV-like cards (PIV interface, with additional flexibility in terms of card content and policies)
In addition:
-
Smart cards can be issued by ActivID CMS (PIV-compliant) or by other smart card management systems.
-
ActivClient uses the PIV smart card in read-only mode for usage operations (PKI services and demographic data), in compliance with the PIV specifications. The Change PIN function is supported.
-
By FIPS 201 specification, smart card unlocks (as known as PIN Reset) needs to be in the presence of an Issuance Officer with cardholder biometric verification. The smart card unlock functionality is not available for PIV smart cards in ActivClient but can be performed with ActivID CMS.
-
ActivClient also supports PIV extensions (also known as PIV-like or PIV+). In this configuration, ActivClient enables using the card following the card profile and policies used during the ActivID CMS-based card issuance. For example, the PIN can be unlocked using a challenge/response model, the PIN might not be required for signature operations (leveraging the ActivClient PIN Caching service), or additional credentials (certificates or one-time passwords) might be available.
Supported with the following cards:
-
Cards with the ActivID PIV applet suite
-
Athena IDProtect Duo PIV
-
CardLogix Credentsys-J PIV
-
Gemalto GemCombi'Xpresso R4 E72 PK Standard
-
Gemalto TOP DL GX4 v2 144K FIPS with Gemalto PIV 1.55 applet
-
HID Global pivCLASS
-
HID Global Crescendo 144K FIPS
-
HID Global Crescendo PIV
-
HID Global Crescendo C2300 family
-
HID Global Crescendo Key
-
HID Global Crescendo Key FIPS
-
HID Global Crescendo Key FIPS CL
-
IDEMIA Cosmo 8.1 with ID-One PIV 2.4.1
-
IDEMIA Cosmo 8.2 with ID-One PIV 2.4.2
-
IDEMIA Cosmo 8.1 with ID-One PIV 2.4.1 CL
-
IDEMIA Cosmo 8.2 with ID-One PIV 2.4.2 CL
-
Keycorp MULTOS 64K with StepNexus PIV Application v4.2.1
-
Oberthur ID-One Cosmo 64K v5.2D Fast ATR with PIV application
-
Oberthur ID-One Cosmo 64K v5.2D Fast ATR with PIV application SDK
-
Oberthur ID-One Cosmo v7.0 with Oberthur PIV Applet v2.3.2
-
Oberthur ID-One Cosmo v8 with Oberthur PIV Applet v2.3.5 / 2.4.0
-
Safenet 400 PIV
-
Sagem Orga J-ID Mark 64 PIV with Sagem PIV Applet version 01
-
Thales IDCore 3230
-
Yubico YubiKey FIPS
-
Yubico YubiKey 5