PIN Caching

The ActivClient PIN Caching service allows users to perform operations with their token without entering the PIN for every action, while maintaining the overall security of the solution.

PIN caching behavior is configurable, enabling organizations to balance security (more frequent PIN prompts) and usability (fewer prompts) according to their specific business requirements.

Important: Restart Workstation

For the PIN Caching policy changes to be applied, you must restart the workstation.

Description

Defines if the PIN cache is shared between Microsoft Windows processes.

Behavior

  • Disabled or Not Configured: All processes running in the same session share the same PIN cache.

  • Enabled: Each process maintains its own separate PIN cache, preventing PIN sharing across processes.

Some security devices are configured to enforce a PIN prompt for every use of a private key. A common example is the Personal Identity Verification (PIV) card, where the Signature Key is configured with a "PIN Always" policy, as defined in FIPS 201 and NIST Special Publication 800-73.

The purpose of the "PIN Always" policy is to support non-repudiation, ensuring that the user explicitly confirms each cryptographic operation.

ActivClient User Experience Enhancement for PIN Always Devices

To improve usability while maintaining the security intent of the "PIN Always" policy, ActivClient provides an enhanced user experience:

  • When the PIN has already been entered and is still stored in the middleware cache, ActivClient allows the user to confirm the use of the key without re-entering the PIN.

    This maintains the requirement for explicit user action and is compliant with NISTIR 7863 guidelines.

Description

Specifies whether the PIN cache can be used for operations involving private keys with the "PIN Always" setting enforced.

Behavior

  • Disabled or Not Configured: The PIN cache cannot be used for operations involving private keys with the "PIN Always" setting enforced.

  • Enabled: If enabled, users can choose between the following PIN Cache Type options:

    • Full Caching: The PIN is submitted automatically without user action (not FIPS 201 compliant).

    • User Acknowledgment: User action is required for every operation (FIPS 201 compliant). A confirmation dialog ensures non-repudiation.

      Note: The User Acknowledgment option complies with NISTIR 7863.
Note: If this policy is enabled, per-process PIN caching (controlled by the "Allow Per-Process PIN Caching" policy) is recommended for improved security and FIPS 201 compliance.

Description

Allows you to specify a list of applications excluded from ActivClient PIN cache use.

Behavior

  • Disabled or Not Configured: No applications are excluded from HID ActivClient PIN cache use.

  • Enabled: Allows adding applications to the exclusion list, preventing them from using the PIN cache.

To Add an Application to the Exclusion List:

  1. In the Options field, click the Show button next to PIN Caching Exclude List. The Show Content dialog appears.

  2. In the Value field, enter the name of the executable file (e.g., excludedapplication.exe). A new row appears, allowing additional file names to be entered.

  3. Click OK to save the list of excluded applications.