9.8 Device Authentication

In the Device Authentication method, a device stores the private key and secures it with a PIN. It uses the trusted module or the file system of the device to store unique details of a user, such as private key and PIN.

Advanced Authentication supports the following two forms of Device Authentication method:

NOTE:Ensure users enroll the Device Authentication method using the workstation where they would perform further authentication. Enrollment on one machine and authentication on another machine is not supported.

9.8.1 Windows Trusted Platform Module (TPM)

The TPM chip is a crypto-processor available in Windows workstation to achieve actions, such as generating, storing, and limiting the use of cryptographic keys. Device Authentication supports authentication to Windows workstation and makes use of information available in the chip to authenticate users.

NOTE:Advanced Authentication cannot manage the TPM management. It is possible to manage the TPM virtual smart card and unlocking the same with the tpmsvcmgr command. For more information, see Tpmvscmgr

NOTE:The Virtual Smartcard Module that is part of the operating system manages the lock status of the virtual smart card. With the below pre-conditions if the virtual smart card in the Advanced Authentication Windows Client gets locked after six failed attempts, you can use the tpmvscmgr command to destroy the instance to remove the virtual smart card from the system:

Syntax: tpmvscmgr.exe destroy /instance <instance ID>

Example: tpmvscmgr.exe destroy /instance ROOT\SMARTCARDREADER\0004

Destroying the instance does not delete the enrolled Device Authentication method. However, users are required to re-enroll the Device Authentication method.


Before you configure the Device Authentication method, ensure that user’s system is Windows 10 machine with fully functional TPM as a prerequisite.

Preconfiguration Tasks

The pre-configuration tasks are not required when you allow users to enroll and authenticate with the Device Authentication method through the key pair generation. To set up a Windows workstation for using the TPM virtual smart card, refer to the Microsoft Walkthrough guide and perform the following tasks:

  • Create the certificate template

  • Create the TPM virtual smart card

  • Enroll the certificate on the TPM virtual smart card

Adding the Trusted Root Certificates

You must upload the trusted root certificates for the Device Authentication method. Ensure that the Root CA certificate is in the .pem format. However, the trusted root certificates are not required when you allow users to enroll and authenticate with the Device Authentication method through the key pair generation.

To upload a new trusted root certificate, perform the following steps:

  1. Click the Add icon in the Device Authentication page.

  2. Click Choose File and select the .pem certificate file.

  3. Click Upload.

  4. Click Save.

Disabling the Key-Pair Option

The Allow key-pair option is enabled by default. This indicates that users can enroll the Device Authentication method either with the CA certificates or through the key-pair generation. However, you can set Allow key-pair to OFF to disable the key-pair based enrollment and enforce enrollment only using a user certificate issued by the CA.

9.8.2 Without Using the Trusted Platform Module (Non-TPM)

This mode is supported on Linux, macOS, and Windows operating systems. In this mode, a key pair generates during enrollment and is stored in the file system of workstation rather than the TPM chip. The key pair is secured using the PIN.

To disable the TPM chip in Windows workstation, see Device Authentication Setting.