Best procedures for Unblocking PIN codes using vSEC:CMS
By Declan Inglis, Versasec, Delivery Engineer
With so many organizations realizing they need two-factor identification to better secure their systems and data, most of those also understand how credential management solutions (CMS), like our vSEC:CMS S-Series, can help. One of the most common requests we hear from organizations implementing vSEC:CMS revolves around unblocking PIN codes.
Here are the best procedures for unblocking PIN codes for smart cards in each specific situation:
1. How to Unblock a card: When it needs to be done automatically upon card issuance
The traditional way to unblock a smart card revolves around using PUC (PIN Unblock Codes). A PUC is typically generated and automatically provided to the user upon the completion of card issuance. vSEC:CMS supports this method. Once an Operator has successfully setup PUC from within Templates > Card templates and Data export in Options > Connections they should simply Register and Issue the Smart card they are issuing from within lifecycle and a PUC will be sent via the pre-configured channel. When the user receives this, they then have the ability to set a new PIN. This is useful not only for the ability to automatically prepare unblock upon issuance, but it can also be used in an unconnected setup. This method has some weaknesses, for example there should be a good/secure way of storing the PUCs otherwise an attacker could access the PUC and the smart card and potentially pose as a security threat.
2. How to Unblock a card: When the smart card holder CAN visit an Operator
When a smart card holder is able to physically visit an S-Series Operator, the smart card can then be unblocked through the Operator Console. The Operator should simply go to Actions > Smart Card Unblock and attach the smart card that needs to be unblocked. Details about the managed smart card will then be shown on the Operator Console. The smart card holder should then enter a PIN policy accepted PIN code into the fields provided and click the "Unblock" button. The Operator will then be prompted to enter their Operator PIN code to authenticate and perform the PIN unblock. A success dialog will appear once the unblock has completed successfully.
3. How to Unblock a card: When the smart card holder CANNOT visit an Operator
If the smart card holder is not able to visit an operator with access to the vSEC:CMS operator console, there are still several ways to unblock a PIN. An Offline challenge-response PIN unblock is one possible example:
- From a client connected to the domain, the user can attempt to logon with their blocked smart card. As the smart card is blocked and with the "Allow Integrated Unblock" screen to be displayed at the time of logon enabled through a Windows group policy, the user will be informed that their smart card is blocked.
- Click OK, and the user will be presented with an unblock screen and the ability to generate a challenge.
- The user should then provide the unblock challenge code to the S-Series operator person. For example the user can call the IT Helpdesk function and thereby provide the challenge code.
- The operator then goes to the "Actions - Smart Card Unblock" page, clicks the Search button and then selects the user whose smart card requires unblocking.
- The operator then enters the unblock challenge code as received from the smart card holder into the Challenge field and clicks the Cryptogram button.
- Next, the operator will generate a cryptogram. This cryptogram is the unblock code which the operator then presents back to the smart card holder.
- Next, the card holder enters the cryptogram along with a new PIN, hits "confirm" and then clicks the right arrow button to complete the unblock. It's important to remember there is a one-to-one relationship when performing the unblock. Therefore, the user's smart card should not be removed during this operation otherwise the challenge code will be invalidated, and the operation will need to be performed again.
4. How to Unblock a card: When you have enabled the system so users can do it themselves
If a user has a smart card with a template that is manageable with user self-service (USS) then they can unblock the card themselves. The user should launch the USS (My Smartcard) application to perform the PIN unblock. From the USS application, users should open the "My PIN" page and select the Unblock PIN (Crypto) radio button. They should then enter a new PIN code that meets the PIN policy requirements and confirm this value. Click the Unblock button to proceed. At this point the user needs to be authenticated using an alternative authentication method. The most common method for this is domain authentication (using username and password) however you can also make use of OTPs, unblock codes or even a secondary IDP. Once an alternative authentication method has been provided by the user and they have clicked "OK", a secure channel will be setup between the users USS client and the S-Series server and a challenge-response will be performed in the background. The unblock will then be complete and a success dialog will appear.
To learn more about how to effectively implement and use vSEC:CMS S-Series, visit our video tutorial page, https://versasec.com/vsec-cms-videos.php.
Tags: two-factor, authentication, smartcard, cybersecurity, identitymanagement, smb.