In the Device Authentication method, a device stores the private key and secures it with a PIN. It uses the trusted module or the file system of the device to store unique details of a user, such as private key and PIN.
Advanced Authentication supports the following two forms of Device Authentication method:
NOTE:Ensure users enroll the Device Authentication method using the workstation where they would perform further authentication. Enrollment on one machine and authentication on another machine is not supported.
The TPM chip is a crypto-processor available in Windows workstation to achieve actions, such as generating, storing, and limiting the use of cryptographic keys. Device Authentication supports authentication to Windows workstation and makes use of information available in the chip to authenticate users.
NOTE:Advanced Authentication cannot manage the TPM management. It is possible to manage the TPM virtual smart card and unlocking the same with the tpmsvcmgr command. For more information, see Tpmvscmgr
NOTE:The Virtual Smartcard Module that is part of the operating system manages the lock status of the virtual smart card. With the below pre-conditions if the virtual smart card in the Advanced Authentication Windows Client gets locked after six failed attempts, you can use the tpmvscmgr command to destroy the instance to remove the virtual smart card from the system:
The Lockout Options policy is not configured in the Advanced Authentication Server.
The Standard User Individual Lockout Threshold policy is not configured in Windows TPM.
Syntax: tpmvscmgr.exe destroy /instance <instance ID>
Example: tpmvscmgr.exe destroy /instance ROOT\SMARTCARDREADER\0004
Destroying the instance does not delete the enrolled Device Authentication method. However, users are required to re-enroll the Device Authentication method.
Before you configure the Device Authentication method, ensure that user’s system is Windows 10 machine with fully functional TPM as a prerequisite.
The pre-configuration tasks are not required when you allow users to enroll and authenticate with the Device Authentication method through the key pair generation. To set up a Windows workstation for using the TPM virtual smart card, refer to the Microsoft Walkthrough guide and perform the following tasks:
Create the certificate template
Create the TPM virtual smart card
Enroll the certificate on the TPM virtual smart card
You must upload the trusted root certificates for the Device Authentication method. Ensure that the Root CA certificate is in the .pem format. However, the trusted root certificates are not required when you allow users to enroll and authenticate with the Device Authentication method through the key pair generation.
To upload a new trusted root certificate, perform the following steps:
Click the Add icon in the Device Authentication page.
Click Choose File and select the .pem certificate file.
Click Upload.
Click Save.
The Allow key-pair option is enabled by default. This indicates that users can enroll the Device Authentication method either with the CA certificates or through the key-pair generation. However, you can set Allow key-pair to OFF to disable the key-pair based enrollment and enforce enrollment only using a user certificate issued by the CA.
This mode is supported on Linux, macOS, and Windows operating systems. In this mode, a key pair generates during enrollment and is stored in the file system of workstation rather than the TPM chip. The key pair is secured using the PIN.
To disable the TPM chip in Windows workstation, see Device Authentication Setting.