The default PIVKey security model is compatible with the Microsoft Smart Card Minidriver Specification. It has also been designed to support typical enterprise scenarios, such as user provisioning, and contactless access.
The following are differences with the US Government security model.
| PIVKey Difference | ||
| User Key Generation | Requires User PIN | |
| User Certificate Loading | Requires User PIN | |
| Contactless Access | Allowed for all certificates | |
| Card Authentication Cert | Requires user PIN |
The fact that the Card Authentication Certificate requires a pin code makes it useless for physical access control. Allowing access to all certificates over the contactless interface (and no way for the administrator to disable this capability) is a security liability.
I was really hopeful about this product, but my primary motivation is physical access control. Big disappointment.
Most user of PIVKey use certificates for Logical access only. This provides them with one additional certificate to use. It is a compromise. If you need a standard Card Authentication Certificate, we recommend a standard PIV card.
2 Comments