Security Device Modes and Profiles
Smart cards and keys can be managed centrally (managed devices Smart cards, USB keys, or other security devices administered and controlled through a management platform or system, typically used for secure authentication, encryption, or access control in enterprise environments.) or used in standalone mode (standalone devices Security device with pre-loaded applets issued by the manufacturer.). The available actions depend on the device's management mode and profile: the mode defines how the device is managed, while the profile defines the device configuration and supported operations. This affects what end users can do, especially in these areas:
-
Initialization (personalization): Setting the initial PIN A numeric or alphanumeric code used to authenticate a user to a system, typically known only to the user and the system. and PUK PIN Unblock Key. A code used to reset the personal identification number (PIN) in devices after they have been locked due to multiple incorrect PIN entries. on the device.
-
Unblocking: Unblocking the device after the PIN is entered incorrectly too many times, while preserving existing credentials.
-
Recycling (resetting): Erasing all credentials from the device.
-
Card update: Automatically updating the content of an HID CMS HID Credential Management System (formerly known as ActivID Credential Management System) is a web-based, smart card, credential and application lifecycle management system. HID CMS augments and works in concert with an enterprise’s primary identity management infrastructure components, including popular directory, database, and PKI components.-managed smart card or key.
Standalone Mode
In standalone mode, smart cards and keys are not centrally managed. Users have full access to all functionalities provided by the device via ActivClient. Devices in this mode are delivered with applets A small, subordinate application on the token designed to perform specific tasks. configured with a default standalone profile.
-
HID Global Crescendo 4000 Card
-
HID Global Crescendo Key V3 (4000 Series)
-
HID Global Crescendo 2300 Card
-
HID Global Crescendo Key (2300 Series)
-
HID Global Crescendo 1150 Card
-
HID Global Crescendo 144K Card
Initialization (Personalization)
-
Users can personalize their device and set a PIN and a PIN unblock key (PUK PIN Unblock Key. A code used to reset the personal identification number (PIN) in devices after they have been locked due to multiple incorrect PIN entries.).
Unblocking
-
Users can unblock their device using the static PUK provided during personalization and set a new PIN.
Recycling (Resetting)
-
Users can recycle their device using the PIN.
Card Update
-
Not available
HID CMS-Managed Mode
If security devices are managed through HID Credential Management System (CMS), they may be delivered with or without applets, depending on the device model.
Initialization (Personalization)
-
Security devices are initialized and managed by HID CMS HID Credential Management System (formerly known as ActivID Credential Management System) is a web-based, smart card, credential and application lifecycle management system. HID CMS augments and works in concert with an enterprise’s primary identity management infrastructure components, including popular directory, database, and PKI components., including applet A small, subordinate application on the token designed to perform specific tasks. loading and the loading of user credentials such as certificates.
Unblocking
-
Users can unblock their security devices:
-
Online using the HID CMS Self-Service Portal
-
Via ActivClient Console using the challenge/response mechanism
Note: This method is available only with some device profiles. For further information, refer to the HID CMS documentation. -
Via the native Windows unblock screen using the challenge/response mechanism
Note: This method is available only with some device profiles. See Unblock PIN via the Windows Unblock Screen for more information.
-
Recycling (Resetting)
-
Security devices can be recycled using HID CMS.
Card Update
-
The Card Auto-Update feature in ActivClient allows users to securely update the content of their security devices (applets and credentials) using the HID CMS Self-Service Portal.
US Department of Defense Common Access Card (CAC) Mode
In the US Department of Defense (DoD) Common Access Card (CAC) mode, ActivClient uses the devices in read-only mode for usage operations (PKI services and demographic data), in compliance with the DoD middleware requirements.
In addition, the Change PIN functionality is supported.
-
CAC v2
-
CAC Next Generation NG
-
CAC PIV End-Point, with the PIV Authentication certificate "activated" or not for the GSC-IS interface
-
CAC PIV End-Point with the CAC 2.7.x applet
For the list of supported card platforms, see Smart Cards and USB Keys.
Initialization (Personalization) and Issuance
-
Provided by the DoD.
Unlocking
-
Provided by the DoD.
Recycling (Resetting)
-
Provided by the DoD.
Card Update
-
Provided by the DoD.
US Government PIV Mode
This mode refers to:
-
PIV (Personal Identity Verification) and PIV-I (PIV-Interoperable) cards compliant with NIST Special Publication 800-73-4
-
CIV (Commercial Identity Verification) and PIV-like cards (PIV interface, with additional flexibility in terms of card content and policies)
ActivClient uses PIV devices in read-only mode for usage operations (PKI services and demographic data), in compliance with the PIV specifications.
In addition, the Change PIN functionality is supported.
-
Cards with the ActivID PIV applet suite
-
HID Global pivCLASS
-
HID Global Crescendo 144K FIPS
-
HID Global Crescendo PIV
-
HID Global Crescendo 4000 Card
-
HID Global Crescendo Key V3 (4000 Series)
-
HID Global Crescendo 2300 Card
-
HID Global Crescendo Key (2300 Series)
-
HID Global Crescendo Key FIPS
-
HID Global Crescendo Key FIPS CL
-
IDEMIA Cosmo 8.1 with ID-One PIV 2.4.1
-
IDEMIA Cosmo 8.2 with ID-One PIV 2.4.2
-
IDEMIA Cosmo 8.1 with ID-One PIV 2.4.1 CL
-
IDEMIA Cosmo 8.2 with ID-One PIV 2.4.2 CL
-
Thales IDCore 3230
-
Yubico YubiKey FIPS
-
Yubico YubiKey 5
Initialization (Personalization) and Issuance
-
Security devices can be issued via HID Credential Management System (CMS) (PIV-compliant) or other smart card management systems.
Unblocking
-
Per the FIPS 201 specification, unblocking a device (referred to as a "PIN Reset") must be performed in the presence of an Issuance Officer with biometric verification of the cardholder.
-
The PIN unblock functionality in ActivClient is not available for PIV devices; however, PIN unblocking can be performed using HID CMS HID Credential Management System (formerly known as ActivID Credential Management System) is a web-based, smart card, credential and application lifecycle management system. HID CMS augments and works in concert with an enterprise’s primary identity management infrastructure components, including popular directory, database, and PKI components..
Recycling (Resetting)
-
Security devices can be recycled using HID CMS.
Card Update
-
The Card Auto-Update feature in ActivClient allows users to securely update the content of their security devices (applets and credentials) using the HID CMS Self-Service Portal.
ActivClient also supports PIV extensions (also known as PIV-like or PIV+). In this configuration, ActivClient enables using the card following the card profile and policies used during the HID CMS-based card issuance.
Examples:
-
The PIN can be unblocked using a challenge/response mechanism.
-
The PIN might not be required for signature operations (leveraging the ActivClient PIN Caching service).
-
Additional credentials (certificates or one-time passwords) might be available.