Say goodbye to passwords with

Windows 8 virtual smart card management

Background
Passwords are dead has long been a mantra within the security
industry. Recently, more and more examples of data loss and
sponsored hacking show that information and systems protected by
passwords alone are a data leak waiting to happen.
Smart cards offering two-factor authentication (something I have the card, and something I know - the PIN) are often used to
significantly enhance security as both factors need to be present to
authenticate the cardholder.
Smart cards provide additional security features, making them an
ideal secure storage device for identification credentials:
Keys are non-exportable, meaning they cannot be copied
Signing operations occur on the device itself, meaning keys are
never exposed on the client
The device is tamper resistant; attempts to physically alter the
device will render it unusable

The challenge
Although two-factor authentication undoubtedly increases security,
some organizations do not wish to invest the time and money
required to deploy and issue smart cards. The cost and complexity of
supplying cards, readers and potentially card middleware to each user
can be enough to make some organizations stay with their insecure
password-based systems.

Virtual smart cards

Microsoft Windows 8 introduces the concept of virtual smart cards
(VSCs). VSCs make use of the Trusted Platform Module (TPM) - a
dedicated secure hardware processor built into the majority of PCs
available today. The TPM provides a similar level of security to a smart
card, in that keys are stored and used in a cryptographically secured
environment. VSCs are created on the TPM and operate in an
identical manner to smart cards plugged into a smart card reader. In
effect a VSC is a smart card that is always inserted.

Key features of MyID VSC management

Simple self-service provisioning of VSCs and certificates to

TPM-equipped devices such as laptops and tablet devices
running Microsoft Windows 8
Allows securing of cloud services such as Microsoft Office
365
Integrates with existing Microsoft infrastructure such as
Active Directory, Microsoft FIM and Microsoft Certificate
Services
Supports key recovery, allowing VSCs to be used for
secure email
Supports multiple VSCs per TPM, allowing devices to be
shared by multiple users with distinct identities
Option to only issue VSCs to known users on known devices,
allowing control of who has access to resources and from
which device

rights. This method allows the VSC to be removed immediately,

preventing its use.
The TPM also features an anti-hammering lock, which is activated by
continuous incorrect PIN entries and incrementally increases the
amount of time that must elapse between subsequent attempts.
Using MyID, this can be reset over the network by an administrator if
it can be verified that the attempts were genuine errors by the smart
cards owner.
The secure audit and reporting built into MyID ensures that
organizations are in full control of which identities and credentials are
in use and which can be trusted.

The MyID solution

Like any secure device and credential, VSCs need to be managed.
MyID from Intercede provides VSC management capabilities from
issuance through to credential end of life. Linking to user data stores
MyID effectively binds the person to the VSC. This chain of trust is
essential to ensure that the user is who they claim to be and that the
credential on the VSC can be trusted.
MyID provides all of the lifecycle management features required to
effectively implement large scale credential roll-outs,
including unlock, key recovery, certificate
renewal and revocation. It is also
possible to remotely erase a VSC from
a TPM if, for example, an employee leaves
the organization and should therefore no longer have access

ID anywhere mobile smart cards devices

How does it work?

Lifecycle management

MyID acts as a link between the user data store, credentialing

authority (PKI), devices (TPM-equipped laptop or tablet) and the user.
The sequence below is a typical example of initial provisioning:
1. The user is already using a laptop or tablet equipped with an
embedded TPM, but is logging on to the domain with a username
and password
2. Either an IDMS (such as Microsoft FIM) instructs MyID to issue a
VSC to the user, or a MyID operator uses MyID to select the user
needing the VSC from the directory
3. MyID generates a job to be collected
4. The next time the user logs onto Windows they are notified that
they have a VSC to collect
5. The user decides to collect the VSC now and is guided through a
simple self-service app
6. During the self-service process MyID communicates securely with
the TPM to create a VSC
7. MyID prompts the user to choose and verify a PIN for the VSC
8. MyID then generates keys on the VSC via the cryptographic
functions build into Windows 8 (no middleware is required)
9. Private keys remain protected by the TPM and public keys are
formed into a certificate request
10. MyID sends the certificate request to the certificate authority (CA),
e.g. the certificate services capability built into the Windows Server
11. MyID retrieves the certificates from the CA
12. MyID writes the certificates to the VSC
13. The process is complete and the user can now use their VSC in the
same manner as a physical smart card

In addition to issuing VSCs, MyID provides full lifecycle management

including:
Remote unlock (VSC becomes locked due to incorrect PIN entries
while the user is offline)
Temporary VSC replacement (forgotten laptop)
Permanent VSC replacement (new laptop)
VSC recovery, including archived encryption keys (lost laptop)
Remote revocation of VSC (stolen laptop)
Remote erasure of VSC (user no longer has access rights)
Remote reset of TPM anti-hammering lock (multiple incorrect
PIN attempts)

What can VSCs do for you?

Enhance security by using commercial off-the-shelf (COTS)
products; user authentication can be enhanced quickly
and efficiently
Save you money on the purchase of smart cards and readers VSCs can be deployed with no material cost and do not suffer from
the normal wear and tear associated with physical cards
Two-factor authentication to secure cloud services allows you to
ensure that only users with strong credentials and appropriately
configured devices have access to online services
Make credentials less likely to become lost or misplaced as they are
bound to devices that the owner uses on a day to day basis. Owners
are also likely to notice the loss of these devices more quickly than
they might with a conventional smart card

Dustin Ingalls, Microsoft Group Program Manager for Windows Security and Identity, said: Most enterprise mobile computer
platforms available on the market today ship with Trusted Platform Modules (TPM) already installed. A key security benefit of Microsofts
Windows 8 is its ability to easily configure the TPM to do a number of things including the ability to function as Virtual Smart Cards (VSC).
We believe VSCs will change the way mobile computer users will assert their trusted identities in cyberspace and collaborated closely with
Intercede to ensure that VSCs can be managed out-of-the-box using the MyID identity and credential management system. This means
that Windows 8 customers have immediate access to an end-to-end solution for creating and managing the assured identities of
employees and consumers. We chose to work with Intercede because of MyIDs ease of deployment and advanced technical features.

FO/VSC/L/USEN/140123

+1 888 646 6943 info@intercede.com www.intercede.com @intercedeMyID