ActivID CMS Feature Overview

This section provides a brief overview of the ActivID CMS features.

Badging and User Enrollment

HID offers a range of options to capture user information such as photographs prior to the smart card personalization Refers generically to a card issuance, re-issuance, or update.:

• HID PIV IDMS A collection of systems, processes, procedures, applications, database management systems, and interfaces that work together to manage and protect the identity information of PIV card applicants. The IDMS generally falls within the IDPRS domain.™, a component of HID PIV Express™ and HID PIV Enterprise™ solution, can be used to enroll users and capture a range of information such as pictures, fingerprints and identity documents (for example, passports). For information on HID PIV IDMS, contact your HID Global reseller.

• Customers may store user pictures in their corporate LDAP Lightweight Directory Access Protocol directory; ActivID CMS can then be properly configured to retrieve this information as needed.

• ActivID CMS also provides enrollment and customization service provider interfaces (SPIs) that allow software developers to integrate additional enrollment capabilities. For example, using a generic plug-in SPI, developers can integrate a biometric fingerprint or iris enrollment feature, record this data using the scanning or capture feature, or enable a barcode/magnetic stripe data generator. For details on this topic, refer to About the Generic Plug-In SPI.

Device Issuance

The device issuance process enables a company or an organization to issue smart cards, virtual smart cards, and mobile devices to its employees (or partners or anyone the organization wants to grant access via strong, two-factor authentication). At the end of the issuance process, the authentication device has become ready to use for authentication services.

Depending on the type of deployment, issuing a device can include:

• For smart cards and USB tokens: loading data into the device chip (for example, PKI keys and certificates, one-time password keys, or demographic data),

• For virtual smart cards: loading PKI keys and certificates into the Trusted Platform Module (TPM) of your Windows device,

• For mobile devices: loading PKI keys and certificates into your mobile device keystore,

• For smart cards: printing user-specific information (for example, a user’s name or photograph) onto the card

An operator uses the ActivID CMS Operator Portal to issue the following device types:

• Device for a new user,

• New device for a user already enrolled in the system,

• Replacement device for an existing user (after a device is lost, damaged, or expired), and

• Temporary devices (for example, devices issued to contractors).

Device issuance processes are dependent on the type of device issued. You can issue a device locally, or validate it locally. Or, a user can self-enroll (binding is performed by the ActivID CMS operator). Or, a user can self-enroll (and the binding is performed by the user during this process).

For detailed information about the device issuance process, refer to Issuing Devices and to the ActivID CMS User online documentation.

Post-Issuance Credential Management

ActivID CMS provides a set of functions to manage the devices after they have been issued to users. This section lists the most common post-issuance tasks (the list is not all-inclusive).

• Unlock Device: If a user repeatedly enters an incorrect PIN, then the device is automatically locked. This device cannot be used again until it is unlocked. ActivID CMS provides various methods for unlocking devices.

• Add Device Application: Operators can add new applications to devices.

• Add, Replace, or Remove Digital Certificates: Users can perform the following tasks:

  • Add new certificates to a device.

  • Replace expired certificates with updated certificates.

  • Remove existing certificates from a device.

• Add SKI Key for Secure Remote Access: Users can add an SKI Symmetric Key Infrastructure key to a device to generate one-time passwords used to access resources protected by an ActivID Authentication Server.

• Add OATH credentials: Users can add an OATH Open Authentication application to generate HOTP (event based one-time password) or TOTP (time based one-time password).

• Recycle Device: Credentials and applications are physically removed from the device so that it can be re-issued to another user.

• Change PIN: Users can change their card’s PIN by accessing the ActivID CMS User Portal.

Help Desk Support

An operator uses the Help Desk to access all services and to provide help to remote users. Help Desk operators can perform the following tasks (the list is not all-inclusive):

• Manage devices and device requests by:

  • Searching for devices,

  • Suspending devices, and

  • Terminating devices.

• Retrieve a card’s initial PIN.

• Support post-issuance requests.

• Activate emergency credentials.

For more information about the Help Desk, refer to Using the Help Desk.