HID Crescendo C1150 Administration Guide User Manual

Page 14

background image

HID Global Crescendo C1150 – Administration Guide

Page 14 of 115

November 2013

© 2013 HID Global Corporation. All rights reserved.

ActivClient enables using smart cards with additional credentials than PKI keys and
certificates. ActivClient supports one-time passwords (OTP) on the Crescendo C1150
card, enabling organizations to use smart cards for remote access (authentication to
VPNs) even if these systems are not PKI-capable. Organizations that have deployed
an OTP Strong Authentication Server (such as 4TRESS AAA Server) and OTP
hardware tokens or soft tokens can now deploy smart cards to additional users and
enable a mixed OTP token / Crescendo smart card deployment. This enables a smooth
transition to PKI environments.

ActivClient includes a User Console to view and edit the card content (certificates and
other credentials). This console helps identify certificates on the card vs. all the
certificates loaded on the PC, as Windows does. The console also enables importing
keys and certificates into the card, and exporting certificates from the card. Users can
also select a “default certificate” in the case several Windows Logon certificates are
present on the card.

ActivClient includes utilities to manage the Crescendo smart cards in standalone mode:
initialization, unlock, reset cards. This provides organizations with a simple and efficient
model to deploy and manage smart cards in small deployments when a card
management system may be considered too complex.

ActivClient includes a smart Card indicator icon in Windows notification area, which,
helps identify when the card is in use.

ActivClient provides notifications to end users, helping them use and manage their
smart card. For example:
 Certificate expiration notification, informing users that their certificates need to be

updated before they expire, preventing users to log on.

 Unattended card notification, reminding users to take their card when they leave

their workstation.

 No smart card reader notification, informing users when no reader is detected.

ActivClient has close to 100 policies, enabling organizations to configure the
middleware to match their specific security and usability requirements. For example:
 Option to unregister certificates on card removal or logoff: this is a security feature

for shared workstations.

 PIN cache for increased usability: the ActivClient PIN Cache provides a sort of

SSO for the PIN: users enter the PIN once, use it for multiple services (Windows
Logon, secure email, secure web, etc.), and securely! PIN Cache policies provide
the right mix of security and usability; for example PIN Cache timeout (by default
15 min – configurable), or “Per-process” PIN cache (one PIN entry per application).

ActivClient supports additional smart cards in addition to the Crescendo C1150, and is
certified by NIST and GSA to support the FIPS 201 PIV standard smart cards.