Using IDEMIA Smart Cards (Windows)
Security key/smart card support for HYPR RP Applications must first be enabled in the Control Center under Workstation Settings.
You also need to enable Smart Card pairing as part of your HYPR Passwordless configuration. See HYPR Passwordless Manual Installation instructions for full details on how to configure these options.
Calls for pairing (registering) a smart card/passkey with an RP Application, including updating Recovery PINs, are described under RP Applications > Workstation > Security Keys in the HYPR Passwordless API.
This document describes how to manage IDEMIA smart cards for the HYPR Passwordless client.
Definitions
Acronym | Definition |
---|---|
PIN | A personal identification number (PIN) is a set of characters used to unlock the smart card for use. The PIN is a decentralized secret the user should not share. The PIN is bound and used to unlock an authenticator. See the securityKeyPinCharacters configuration parameter description in Installing Manually. |
PUK | A PIN unblocking key (PUK) is a code that is used by users or applications to reset a PIN that has been lost, forgotten, or locked because of too many failed attempts. The PUK is part of the PIV standard that the card follows. |
PIV | Personal Identity Verification - or frequently associated together as a PIV Card - is commonly the reference to United States Federal smart card that contains the necessary data for the cardholder to be granted to Federal facilities and information systems and assure appropriate levels of security for all applicable Federal uses. It is also a general means of reference for such devices and associated protocols and standards used for authenticating users securely. |
IDEMIA smart cards work with the HYPR Passwordless client for Windows.
Registration
-
Open the HYPR Passwordless client.
-
Click Start Pairing. You will be given a choice of pairing a Smartphone or pairing with a Security Key.
-
Select Smart Card to continue.
Connect FirstMake sure you are connected to your secure network, or a warning will appear upon clicking Start Pairing. If this occurs, just connect to your secure network and click Try again.
-
You will be asked to set a PIN for the smart card. Type the PIN once, then confirm it by typing it again in the second field. Click Pair.
PIN Requirements- The PIN must be between 6 and 8 characters
- Users are not allowed to choose repeating digits in PINs, such as 111111
- The PIN may not be left as the default value of 123456
-
You may be asked to wait. Once it finishes pairing, you are ready to test it.
-
The HYPR Passwordless client returns to the main screen. The paired card now appears here with Edit (pencil icon) and Delete (trash can icon) options.
Authentication
-
Insert your paired IDEMIA smart card into the computer. Windows will offer the smart card icon as an additional login option. Click the smart card icon.
-
You will be prompted to type your smart card PIN.
-
Provided you have entered a correct PIN, HYPR Passwordless logs you in.
Deregistration
When unpairing a method from HYPR Passwordless, make sure you have another means of logging in. If you do not, we recommend pairing another method, such as the HYPR Mobile App, before unpairing your last method.
Unpairing a smart card from HYPR Passwordless does not impact the card's PIN and FIDO2 credentials.
-
Open the HYPR Passwordless client.
-
Click the trash can icon under the card you wish to remove.
-
A warning appears. Click Next to continue or Cancel to go back to the Device Manager.
-
Enter the smart card PIN to confirm unpairing, then click Unpair.
-
HYPR informs you when unpairing is complete, then returns to the Device Manager.
Changing the PIN on an IDEMIA Smart Card
-
Open the HYPR Passwordless client.
-
Click the pencil icon under the smart card you wish to update.
-
The Update Smart Card PIN dialog opens. Enter the current PIN, then enter the new PIN and confirm it with with a second entry. When you are finished, click Update to save the values and return to the Device Manager.
Unlocking the PIN on an IDEMIA Smart Card
When a Windows user logs in with an IDEMIA smart card and forgets their PIN or exceeds the maximum allowed attempts, resulting in a locked PIN, HYPR Passwordless allows them to reset their PIN using an Unlock Code (PIN Unblocking Key, or PUK).
Contact your administrator to obtain the Unlock Code if you do not already have it.
Two conditions can occur which result in the permanent locking of the smart card; the smart card is rendered unusuable and must be replaced.
-
If no Unlock Code has been set for the smart card and the PIN is entered incorrectly too many times, triggering the Unlock Code-based reset, the following message displays:
-
If the PIN is entered incorrectly too many times and the Unlock Code-based reset triggers - and then the Unlock Code is entered incorrectly too many times - the following message displays:
-
If a user has attempted to log in to Windows and locked the IDEMIA smart card by entering an incorrect PIN too many times, HYPR Passwordless will inform them and provide an option to reset the PIN.
-
Enter the PUK, then enter the new PIN. Confirm the new PIN and click Update.
-
If an incorrect Unlock Code is entered, the following warning appears, stating the remaining number of tries. The typical number of tries for this attempt is 10; this resets after a successful entry. Click Update to save the PIN.
-
HYPR Passwordless confirms the successful reset of the PIN. Click Finish to continue.