Managing Security Keys

A Security Key is a smart USB key that can be issued following the same procedures as for physical smart cards. Security Keys are connected through the USB port and do not require a separate reader. For details, see Issuing an Initial Device to a User in Your Directory.

Note: To enroll Security Key devices in the User Portal or the HID CMS Self-Service Portal, this setting must be enabled in the Operator Portal; for details, see Setting Parameters for Devices.

Security Key devices are managed in the Help Desk and offer the same standard functions as physical smart cards.

About Security Keys

Security Key devices support one-time passwords, public-key encryption and authentication, as well as the Universal 2nd Factor (U2F) and FIDO2 The part of a batch order that represents a request that a card be issued. The issuance request contains the cardholder data necessary to personalize and print the card. protocols. Security Keys provide standard smart card operations, such as logging on to Windows or sending encrypted emails.

A Security Key can be used with a Windows Mini Driver, with ActivClient, and with other PIV-compliant middleware. It is protected by a PIN, offering a two-factor authentication model.

Note:

  • If using ActivClient, version 7.2.1 or higher is required to support YubiKey devices. However, ActivClient is not required if you are using the ActivID CMS Client with a Chrome or Edge browser.

  • The current version of ActivID CMS is only compatible with YubiKey 5 or YubiKey 5 FIPS.

  • YubiKey devices issued by CMS use compressed certificates, which are not supported currently by the YubiKey Minidriver. As a result, for the time being, it is not possible to use the YubiKey Minidriver with a YubiKey device issued using CMS.

A Security Key can be used to secure access to any services that support the OATH Open Authentication-HOTP HMAC-based One-time Password (event) functionality.

Prerequisites for Using Security Keys

Important:
YubiKey 4 FIPS devices are deprecated starting with ActivID CMS 6.3.

Crescendo Key Profile

ActivID CMS provides a dedicated profile for Crescendo Key devices.

PIV / CIV - Crescendo Key

Item

Description

Profile name

PIV / CIV - Crescendo Key

Profile description

PIV profile for Crescendo Key V3

Supported features

  • Personalization of up to 24 keys PIV PKI Objects (PIV Authentication, PIV Digital Signature PIN Once, PIV Card Authentication, PIV Encryption, and 20 Retired Key Management Keys) loaded by ActivID CMS

  • PIV EP Buffer Objects: Discovery Object, CHUID, CCC, Printed Information, Key History Object, Facial Image, Iris, Fingerprints, Security Object

  • FIDO (CTAP2 / U2F support)(*)

  • PIN is shared between PKI and FIDO applet

  • OATH HOTP, TOTP and OCRA support

PIN Policy

  • Minimum PIN length – 4 characters

  • Maximum PIN length – 25 characters

  • Maximum number of PIN tries – 15

  • Allow Weak PIN – No

  • Force PIN to be Changed on First Card Usage – No

  • Force PIN to Contain Only Digits – Yes

(*) During a recycle operation (that is, device re-issuance), the FIDO credentials are reset.

YubiKey Profiles

ActivID CMS also provides dedicated profiles for YubiKey devices.

YubiKey FIPS Profile

Item

Description

Profile name

YUBIKEY FIPS

Profile description

Profile for YubiKey FIPS

Supported features

  • Personalization of up to 24 2048-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 20 Key Management Keys) loaded by ActivID CMS

  • PIV EP Buffer Objects

  • 1 synchronous OATH_HOTP Object loaded by ActivID CMS

  • PIN, PIV AUTHENTICATION, CHUID and Printed Information objects are mandatory. All other objects are optional

PIN Policy

  • Minimum PIN length – 6 characters

  • Maximum PIN length – 8 characters

  • Maximum number of PIN tries – 15

  • Allow Weak PIN – No

  • Force PIN to be Changed on First Card Usage – No

  • Force PIN to Contain Only Digits – Yes

Note: The YUBIKEY FIPS profile can also be used to issue YubiKey 5 devices after associating the pre-issuance ID with the appropriate ATR. However, OATH application personalization is not supported on YubiKey 5 devices.
Important:
You must use the PIV / CIV - YubiKey profile (below) for devices with YubiKey firmware version 5.7.x or higher.
PIV / CIV - YubiKey

Item

Description

Profile name

PIV / CIV - YubiKey

Profile description

PIV / CIV profile for YubiKey and YubiKey FIPS (firmware version 5.3 or higher) with OATH and FIDO

Supported features

  • Personalization of up to 24 2048-bit or 3072-bit keys PIV PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 20 Key Management Keys) loaded by ActivID CMS

  • PIV EP Buffer Objects

  • OATH HOTP support

  • FIDO support

  • PIN, PIV AUTHENTICATION, CHUID and Printed Information objects are mandatory. All other objects are optional

PIN Policy

  • Minimum PIN length – 6 characters*

  • Maximum PIN length – 8 characters

  • Maximum number of PIN tries – 15

  • Allow Weak PIN – No

  • Force PIN to be Changed on First Card Usage – No

  • Force PIN to Contain Only Digits – Yes

* If you are using PIV / CIV - YubiKey with firmware version 5.7.x, then you must set the minimum PIN size to 8.

Note: The PIN for YubiKey devices can only be numeric.

For more details about these device profiles, refer to YubiKey Profiles.

Authenticating with Security Keys

Once issued, the Security Key offers the same security and authentication functions as a physical smart card. All users have to do is plug the device into the USB port and press its button to generate an OTP (if applicable).

Note:

  • The use of OTPs for authentication must be configured beforehand using the ActivID Authentication Server.

  • When using a French keyboard, the Caps Lock key must be enabled in order for OTPs to be generated correctly.

The possible use cases include:

  • Microsoft Windows Logon

  • VPN authentication

  • Secure access to web sites

  • Secure email