6.8 Device Authentication
In the method, a device stores the private key and secures it with a PIN. It uses the trusted module or the file system of the device to store unique details of a user, such as private key and PIN.
Advanced Authentication supports the following two forms of Device Authentication method:
NOTE:Ensure users enroll the Device Authentication method using the workstation where they would perform further authentication. Enrollment on one machine and authentication on another machine is not supported.
6.8.1 Windows Trusted Platform Module (TPM)
The TPM chip is a crypto-processor available in Windows workstation to achieve actions, such as generating, storing, and limiting the use of cryptographic keys. Device Authentication supports authentication to Windows workstation and makes use of information available in the chip to authenticate users.
NOTE:Advanced Authentication cannot manage the TPM management. It is possible to manage the TPM virtual smart card and unlocking the same with the tpmsvcmgr command. For more information, see Tpmvscmgr
NOTE:The Virtual Smartcard Module that is part of the operating system manages the lock status of the virtual smart card. With the below pre-conditions if the virtual smart card in the Advanced Authentication Windows Client gets locked after six failed attempts, you can use the tpmvscmgr command to destroy the instance to remove the virtual smart card from the system:
-
The Lockout Options policy is not configured in the Advanced Authentication Server.
-
The Standard User Individual Lockout Threshold policy is not configured in Windows TPM.
Syntax: tpmvscmgr.exe destroy /instance <instance ID>
Example: tpmvscmgr.exe destroy /instance ROOT\SMARTCARDREADER\0004
Destroying the instance does not delete the enrolled Device Authentication method. However, users are required to re-enroll the Device Authentication method.
Prerequisite
Before you configure the Device Authentication method, ensure that user’s system is Windows 10 machine with fully functional TPM as a prerequisite.
Preconfiguration Tasks
The pre-configuration tasks are not required when you allow users to enroll and authenticate with the Device Authentication method through the key pair generation. To set up a Windows workstation for using the TPM virtual smart card, refer to the Microsoft Walkthrough guide and perform the following tasks:
-
Create the certificate template
-
Create the TPM virtual smart card
-
Enroll the certificate on the TPM virtual smart card
Adding the Trusted Root Certificates
You must upload the trusted root certificates for the Device Authentication method. Ensure that the Root CA certificate is in the .pem format. However, the trusted root certificates are not required when you allow users to enroll and authenticate with the Device Authentication method through the key pair generation.
To upload a new trusted root certificate, perform the following steps:
-
Click the Add icon
in the page. -
Click and select the .pem certificate file.
-
Click .
-
Click .
Disabling the Key-Pair Option
The option is enabled by default. This indicates that users can enroll the Device Authentication method either with the CA certificates or through the key-pair generation. However, you can set to to disable the key-pair based enrollment and enforce enrollment only using a user certificate issued by the CA.