New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of biometrics to un-lock smart card #3099
Comments
That is already available with Match-On-Card support in the SmartCard-HSM. See the KeyXentic KX 906 token that has an embedded secure element with the SmartCard-HSM applet and 1-to-1 fingerprint matching. @frankmorgner can probably also talk about the GoID card, that has an embedded fingerprint sensor. Technology is available, but market demand is low. |
I'm aware that there are card specific technologies available. But I'm more thinking about a vendor agnostic approach that utilizes things like Windows Hello for Business and Conditional Based Access to un-lock the smart card with biometrics. |
So you want the user to authenticate towards a trusted server, that in turn authenticates against the card ? Then you need some challenge response protocol between the card and the server, so that no sensitive information gets lost while the server authenticates against the card. We use TA from BSI TR-03110 for that, which has an EC key on the server that signs a challenge generated by the card. In a large application we use that in addition to the user PIN to ensure, that the card is only used in the designated security environment. But server authentication could also be the sole or alternate authentication method. |
Correct. The server needs to support OAuth2 because I want to utilize Entra ID Conditional Based Access.
That would indeed the best approach, but as stated above, I could live with saving the PIN in a TPM chip, if the chip is inside a trusted computer.
This is probably not card agnostic, is it? I would need a solution working with CardOS cards but which ideally would work with any card. |
If you don't want to use some integrated solution (e.g. GoID card as described above), you are left with stacking and combining different technologies. What is wrong with the process you have depicted (other than you should do it all-local rather than involving some shady web component)? The same process is used locally for some demo Windows Credential Providers, which are storing and recovering the user's (encrypted) password for login instead of a smart card PIN. |
Problem Description
From our user base we get more and more often the feedback, that it feels outdated to type in a PIN to use the smart card for email decryption or signature but that they would prefer to use biometrics like face recognition or fingerprint.
Proposed Resolution
I'd like to use this issue to start an open discussion / brainstorming how this demand could be fulfilled.
After some first conversations with our cyber security team, we could (potentially, details to be clarified), from a risk based perspective, accept the idea that the PIN of a smart card get's stored inside of a secure hardware module of the end users computer (e.g. TPM on Windows / Linux or T2 on Mac) if we can ensure that the end users computer fulfills certain device trust requirements. In our organization we are using Microsoft Intune to enforce device trust.
My first idea would be to add a server side component that authenticates the user with biometrics (e.g. Windows Hello for Business) and ensures the device trust. This could lead to something like this:
Initial PIN storing
Recurring PIN usage
Steps to reproduce
n/a
Logs
n/a
The text was updated successfully, but these errors were encountered: