9.8 Card

The Card authentication happens in the following cases:

  • When a contactless card is placed on a card reader.

  • When a Near Field Communication (NFC) tag is placed near a smartphone which supports NFC.

    IMPORTANT:The authentication using the NFC tag works only on the NFC supported Android smartphones.

    NOTE:Advanced Authentication supports NFC tag for authenticating to OAuth 2.0/ OpenID Connect, SAML 2.0 events, and Advanced Authentication portals. The user must have the Android smartphone that supports NFC and the Google Chrome browser to enroll and authenticate using this method.

  • When a smart card with an integrated token supporting PKCS#11 library is inserted into the card reader.

    The PKCS#11 library provides a standardized interface for obtaining basic token information and is not used for encryption.

    NOTE:The authentication using the card with an integrated token supporting PKCS#11 libraries is supported only on Windows Client.

    To use this type of card as a Card method, the smart card must be equipped with an integrated token compatible with PKCS#11 libraries. Additionally, ensure that your card reader adheres to the PKCS#11 standards.

    Furthermore, to use this reader, you must configure the below parameter in the device service:

    • card.pkcs11Enabled

    • pki.vendorModule and associated PKI settings

    For more information see, Configuring the Card Settings and Configuring Smart Card with Token Supporting PKCS#11 Library in the Advanced Authentication - Device Service guide.

    For more information about the supported cards and card readers, see Supported Card Readers and Cards in the Advanced Authentication - Device Service guide.

    NOTE:It is recommended to combine the Card method with another stronger authentication method in a chain to enhance the security. However, it is not advisable to combine the Card method with the PKI method in a chain because the PKI method already contains card serial number tracking.

To configure the Card method with the NFC tag as second-factor authenticator to secure OAuth2 / OpenID Connect based smartphone application, see the below video:

Advanced Authentication supports the Microsoft policy Interactive logon: Smart card removal behavior that allows you to specify an action on the card event. You can configure the policy to perform a force log off or lock a user session when a user places a card on the reader. Only Microsoft Windows supports this policy.

By default, the Enable Tap&Go option is disabled. When this option is disabled, a card must be placed on the reader when a user logs in. When the user removes the card from the reader, the Windows Client runs an action that is specified in the Interactive logon: Smart card removal behavior policy. When you set this option to ON, users can tap a card to perform the following actions (depending on the Interactive logon: Smart card removal behavior policy) without keeping their cards on the reader:

  • To log in

  • To lock a session

  • To log off

NOTE:The policy is supported for Microsoft Windows only and it is not supported for the PKI authenticators.

When you enable Single-sign on (SSO) for Remote Desktop, the Interactive logon: Smart card removal behavior policy is ignored. You need to disable SSO to make it work.