8.1 How SecureLogin Uses Smart Cards

This section provides information on the following:

8.1.1 Prerequisites

SecureLogin supports ActivClient 6.x and 7.x, and Microsoft BaseCSP MiniDriver only. ActiveClient 6.2 is supported on 32-bit and 64-bit system on all platforms.

To enable smart card support with SecureLogin, the Use smart card option must be selected during installation, regardless of the administrator’s intended preferences for setting the SecureLogin security preference Require smart card is present for SSO and administration operations.

IMPORTANT:Contact NetIQ Support for information on other cryptographic service providers.

Refer Installing SecureLogin for Smart Cards in the NetIQ SecureLogin Installation Guide for more information on enabling smart card support during installation and deployment.

NOTE:When you use eDirectory to create a certificate for a smart card user, ensure that the key usage options Digital Signature and Key Encipherment are checked.

8.1.2 Using Smart Card to Log In to Workstation

SecureLogin allows a user to alternate their log in method by using smart card.

However, a user can only log in by using a smart card to access the SecureLogin credentials only if the smart card option is selected during installation.

If the smart card option is not selected during installation, a user attempting to access SecureLogin on the workstation is forced to log in with his or her username and network password.

8.1.3 Strong Authentication Methods

The following sections explain the strong authentication methods used in SecureLogin.

Advanced Authentication

SecureLogin uses the AAVerify script command to enforce strong security for applications that cannot provide such a mechanism natively. AAVerify can also be implemented to provide user authentication to applications that have no existing authentication interface. Use this command in conjunction with NetIQ Advanced Authentication Framework or NetIQ Modular Authentication Services (NMAS) to force users to log in to the configured application with a smartcard.

For details of the AAVerify application definition command, see the NetIQ SecureLogin Application Definition Guide.

New Functionality in the AAVerify Command

The existing version of the AAVerify command relies on NetIQ Modular Authentication Services (NMAS). Any NMAS supported method like smartcard, can be deployed at the backend to process any re-authentication requests. In Active Directory environments similar support is provided by NetIQ Advanced Authentication Framework.

The new AAVerify command was developed to specifically provide a secure method to re-authenticate a user. Thus proving the users identity before injecting the SecureLogin credentials into sensitive applications. In an enterprise or corporate environment, a sensitive application is one where a SecureLogin application definition is applied that calls for re-authentication.

To process the reauthentication request, the new AAVerify command now takes into account the method by which users are currently logged in, as well as their directory connectivity status.

If users have logged in with a username and password, they are prompted to reauthenticate by using the password, regardless of whether they are offline or online.

If users have logged in with a smart card, they are prompted to reauthenticate by using the original smart card PIN, regardless of whether they are offline or online.

The new AAVerify command is independent of NMAS and can be used to enforce strong user-friendly re-authentication by using a smart card and PIN or password without installing NMAS.

The new AAVerify command caters to a mixed environment where either of the following conditions exists:

  • A user might log in to a number of workstations by using a combination of both smart card or password authentication

  • A scenario where several users might log in to one workstation by either smart card or password authentication.

The New ?IsPin Variable

?IsPin is a new SecureLogin variable available in Microsoft Active Directory mode only.

The ?IsPin variable is automatically generated when a user logs in and stores, information based on whether the user has logged in to the workstation by using a smart card and PIN, or has logged in by using a password.

When the ?IsPin variable is called from an application definition, it indicates the following:

  • If the returned value is true, it means that the user has logged in by using a smart card, and only the PIN value is passed through to the SecureLogin.

  • If the returned value is false, it means that the user has logged with a password.

NOTE:The ?IsPin variable is updated only at a login and is not updated at a screen unlock.

Recommended Configuration

The Use smart card option option is normally based on your preference to have the SecureLogin users utilize a smart card to store the single sign-on data or to encrypt their user’s directory data by using a Public Key Infrastructure (PKI).

If you decide to allow users to log in to their workstations by using a smart card and reauthenticate against their smart card, then the Use smart card option option must be selected during the installation regardless of the option set for Require smart card is present for SSO and administration operations.

NOTE:We recommend that you use a smart card configuration policy to lock the screen on card removal to ensure that the smart card belongs to the currently logged-in user.

Example Application Definition

The following application definition shows how to call the AAVerify command based on the login method. It uses the Notepad application. After the Notepad application is started, the AAVerify command is invoked to prompt the user to reauthenticate, using the login method for the workstation.

Dialog
Class Notepad
EndDialog

OnException AAVerifyFailed Call AAVerifyFailed
OnException AAVerifyCancelled Call AAVerifyCancelled

If ?isPin Eq “true”
  AAVerify -method "smartcard" ?result
Else
  AAVerify -method "password" ?result
EndIf
ClearException AAVerifyFailed
ClearException AAVerifyCancelled

Type $username
Type \n
Type $password
Type \n
Sub AAVerifyFailed
   MessageBox "Reauthentication failed."
   EndScript
EndSub

Sub AAVerifyCancelled
MessageBox "Reauthentication cancelled."
EndScript
EndSub
## EndSection: "Login Window"

Reauthenticating a Predefined Web Application

If the new AAVerify command is used to reauthenticate a Web browser-based application or if the Prompt for device authentication for this device option is enabled for Web applications, then the predefined application definition for the Web browser must be applied for that particular user to avoid confusion when prompting for reauthentication.

One Time Password

The use of multiple passwords places high maintenance overheads on large enterprises. This results in significant cost where users use and manage multiple logins. The calls to helpdesk to reset forgotten password, providing all password when a new employee joins, or deleting the logins when an employee quits can be high in cost.

A one time password (OTP) reduces the cost, particularly with regard to calls to the help desk to reset a forgotten password, or to ensure that all passwords are provisioned when a new user starts, or deleted when existing user leaves the organization.

SecureLogin integrates with ActivIdentity’s one time password authentication functionality and provides you access to the GenerateOTP application definition command, which can be used to generate synchronous authentication and asynchronous authentication soft token support for smart card user authentication.

Smart Card Password Login

ActivIdentity’s Smart Card Password Login (SCPL) provides smart card-based Windows login that is not PKI-based. SCPL, when used in conjunction with SecureLogin, stores and manages a user’s Windows login and SecureLogin credentials. It provides efficient network login by allowing a user to simply insert their smart card and enter their PIN.

Smartcard Application Reauthentication

You can configure SecureLogin to reauthenticate an application using the SecureLogin Administrative Management Utility or application definition wizard. To use this, enable Prompt for device re-authentication for this application and configure the Re-authentication method.

IMPORTANT:Basecsp.dll supports only smart card authentication. It does not support smart card re-authentication even in Kiosk mode. To allow re-authentication, use acpkcs.dll.

For more details refer Section 10.0, Reauthenticating Applications.