Managing Mobile Smart Cards

Mobile smart card (MSC) devices are a type of virtual smart card that is hosted on end-user mobile devices (cell phones or tablets). Mobile smart cards are created directly on the user’s mobile device using the HID Crescendo Mobile application (available on Google Play or on the Apple Store). For details about how to create a mobile smart card using this application, refer to the HID Crescendo Mobile Application User Guide.

Mobile smart cards can be issued:

• using remote issuance directly on the mobile device; for details, see Configuring Remote Issuance.

• using the ActivID CMS User Portal; for details, see the procedure for self-issuing a device in the ActivID CMS User online documentation.

• locally by an operator, following the same procedures as for physical smart cards using an NFC (Android devices only) or Bluetooth connection; for details, see Issuing an Initial Device to a User in Your Directory.

Note: In the current version, mobile smart cards can be issued on mobile devices running Android 7 or higher, or iOS 10 or higher.

Mobile smart cards are managed in the Help Desk just like physical smart cards, and can be enrolled in the Operator or User Portal (this setting must be enabled in the Operator Portal; for details, see Setting Parameters for Devices).

About Mobile Smart Cards

The HID Crescendo Mobile application creates a mobile smart card on the user’s device that can be used with a Windows Mini Driver, with ActivClient, and with other PIV-compliant middleware. The mobile smart card is protected by a PIN, offering a two-factor authentication model.

A mobile smart card provides the same standard smart card operations, such as logging on to Windows or sending encrypted emails, as a physical smart card. It is accessible through a smart card reader using NFC (Android devices only), or using Bluetooth.

Prerequisites for Using Mobile Smart Cards

• Mobile device running Android 7 or higher, or running iOS 10 or higher.

• HID Crescendo Mobile application must be installed on the end-user’s mobile device; for details, refer to the HID Crescendo Mobile Application User Guide.

Important: No other device (physical or virtual) must be already bound to the user in ActivID CMS.

• A policy for mobile smart cards must be assigned to the corresponding user group; for details, see Creating a Device Policy, Configuring Applications and Configuring Group Assignments.

• Remote issuance (if used) must be enabled; for details, see Configuring Remote Issuance.

• To use the User Portal for issuance (if applicable):

  • The URL for the User Portal where the device is to be self-issued must be added as a Trusted Site in the user’s browser.

  • Self-binding and self-issuance must be enabled for the User Portal; for details, see Configure the ActivID CMS User Portal.

  • Enrollment of mobile smart cards in the User Portal must be enabled; for details, see Setting Parameters for Devices.

• For mobile smart cards to be able to connect using Bluetooth, the HID Bluetooth Virtual Reader must be installed on the machine.

• For mobile smart cards to connect using NFC (Android devices only), a contactless reader must be available on the machine.

Mobile Smart Card Profile

ActivID CMS provides a dedicated profile for mobile smart cards.

ActivID CMS Mobile Smart Card Profile

Item	Description
Profile name	CIV - AI 2048 Crescendo Mobile
Profile description	CIV Commercial Identity Verification profile, with extended PKI, for Crescendo Mobile
Supported features	Support with up to 5 KMKs (key history) Personalization of up to 4 2048-bit keys PIV Personal Identity Verification (technical standard of "HSPD-12") PKI Objects (PIV Auth, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication) loaded by ActivID CMS Personalization of up to 7 2048-bit keys PKI Extended Objects loaded by ActivID CMS PIV EP Buffer Objects, except Iris PIV AUTHENTICATION, CHUID Card Holder Unique Identifier and Printed Information objects are mandatory. All other objects are optional.
PIN Policy	Minimum PIN length – 6 characters Maximum PIN length – 8 characters Maximum number of PIN tries – 15 Allow Weak PIN – No Force PIN to be Changed on First Card Usage – No Force PIN to Contain Only Digits – Yes

For more details about this device profile, refer to Device Profiles and Hardware Devices.

Configuring Remote Issuance

Remote issuance allows users to issue mobile smart card credentials directly on their mobile device.

The following settings are required to perform remote issuance:

• Enable and configure support for remote issuance using the Remote issuance topic on Customization page (see Setting Parameters for Remote Issuance).

• Configure the Remote Issuance Security Settings (see Configuring Security Settings).

• When issuing the initial mobile smart card device for a user, select the Request Remote Issuance option (see Issuing an Initial Device to a User in Your Directory).

Authenticating with Mobile Smart Cards

Mobile smart cards offer similar security and authentication functions as physical smart cards. All users have to do is enter the PIN code for the mobile smart card when prompted.

The possible use cases include:

• Microsoft Windows Logon

• VPN authentication

• Secure access to web sites

• Secure email

To applications and processes, the mobile smart card appears as a physical smart card that is inserted when it is detected by a contactless reader (using NFC) or when paired using Bluetooth. For details, refer to the HID Crescendo Mobile Application User Guide.

All applications that support the Microsoft CAPI/CNG framework should work with the mobile smart card.

Mobile Smart Card Management Functions

The following table provides an overview of the ActivID CMS management functions available for mobile smart cards.

ActivID CMS Operator	End User Using the User Portal
Suspend / Revoke certificate Request Applications Update Request Re-Issuance Terminate Device Create Unlock Request Get Unlock Code (for Offline Unlock) View Certificate	Update Device Unlock Device Cancel Device Replacement Report Device Lost Request Device Replacement