What is a Smart Card Management System?

A Smart Card Management System (SCMS) serves as the central command center for your organization’s authentication infrastructure. It is a specialized software solution designed to streamline and secure the entire lifecycle of physical and virtual credentials—from smart cards and USB tokens to FIDO2 authenticators. By bridging the gap between users, directories, and Certificate Authorities (PKI), an SCMS automates complex workflows like batch issuance, PIN management, and certificate renewal. It replaces manual, error-prone processes with a policy-driven approach, ensuring that every credential in your fleet is accounted for, compliant, and easily managed from issuance through to retirement.

vSEC:CMS Credential Lifecycle Stages

Orchestrate the entire lifecycle of your organization’s smart cards and secure tokens from a single, centralized console. vSEC:CMS ensures every stage of the credential journey is secure, compliant, and efficient.

1. Registration

Secure Onboarding & Root of Trust. The lifecycle begins by securely attaching new credentials to the system. During registration, vSEC:CMS replaces default manufacturer keys with unique, secure administration keys. This establishes a hardware-backed root of trust, ensuring only authorized administrators can manage the token moving forward.

2. Issuance

Policy-Driven Provisioning. Credentials are effectively “born” when a Credential Template is applied. This stage binds the physical token to a specific user and technical policy, loading necessary certificates or enrolling the device with a FIDO2 Identity Provider (IdP). Support for both individual and batch execution streamlines high-volume rollouts.

3. Activation

Flexible User Enablement. Transitioning to the Active state turns a personalized token into a functional authenticator. vSEC:CMS supports diverse activation workflows to suit your infrastructure:

• Centralized: Immediate activation by an administrator.
• Decentralized: Remote activation via User Self-Service, allowing users to securely set their PINs and unblock devices without IT intervention.

4. Inactive Status

Temporary Suspension. When a credential is misplaced or temporarily out of compliance, it can be moved to the Inactive state. This action instantly blocks access to the credential’s administration key without permanently revoking certificates. It provides a secure “pause” button, allowing for easy reactivation if the token is recovered.

5. Locked Status

Automated Security Response. If a user exceeds PIN attempts or an administrator triggers a lock, the credential enters the Locked state to prevent unauthorized access. vSEC:CMS maintains the administrative connection, enabling authorized Helpdesk staff to perform secure remote unblocking workflows and restore user access quickly.

6. Revocation

Immediate Access Termination. When a credential is lost, stolen, or an employee leaves, the Revocation stage ensures immediate security. vSEC:CMS communicates directly with the Certificate Authority (CA) to invalidate certificates, providing a definitive kill-switch that updates revocation lists (CRLs) instantly to protect the network.

7. Retirement

Sustainable Credential Recycling. Maximize your hardware investment with the Retire workflow. This process securely wipes personal data, keys, and certificates from the smart card or token while retaining the device in the system inventory. The sanitized token is then ready to be re-issued to a new user, reducing electronic waste and hardware costs.

8. Deletion

Audit-Ready End of Life. The final stage permanently removes the credential from the active database and releases the associated software license. While the operational data is removed, vSEC:CMS retains comprehensive transaction logs, ensuring your organization maintains full audit compliance even after a credential has left the system.

Vendor Independent

vSEC:CMS is fully functional with minidriver enabled credentials such as smart cards, USB tokens and virtual smart cards including Windows Hello for Business (WHfB). It streamlines all aspects of managing credentials by connecting to enterprise directories, certificate authorities, physical access control systems, email servers, log servers, biometric fingerprint readers, PIN mailers… the list goes on. With vSEC:CMS, organizations can issue Credentials to employees, personalize the Credentials with authentication credentials and manage the lifecycle of the Credentials – directly from the off-the-shelf product.

Versasec Card Lifecycle Management

Versasec goes beyond basic identity management by offering unparalleled flexibility, advanced PKI/PIV, FIDO2, RFID capabilities, and seamless integration with identity providers (ie, Microsoft Entra ID). Thus, enabling organizations to meet their unique identity needs and exceed the requirements of modern security mandates, such as Executive Order 14028.

vSEC:CMS manages the lifecycle of identity credentials (smart cards, security keys, tokens, authenticators), integrating with identity providers (Microsoft Entra ID, Ping Identity, Thales STA), certificate authorities (Microsoft, Keyfactor, DigiCert, Entrust), user directories, smart card printers (Matica, Magicard, HID), hardware security modules (Futurex, Utimaco), and more. This allows businesses to leverage existing IAM infrastructure with leading providers.

Key Differentiators:

• One platform: for PKI and FIDO2 orchestration: integrates with identity leaders bringing you the highest number of supported credentials for the orchestration, & configuration of your IAM security. Versasec serves your budget, compliance, and IT preferences, performing at the security core of your organization.
• Unmatched User Experience: vSEC:CMS simplifies credential management for both IT administrators and end-users. Our innovative self-issuance process with identity providers and PKI certificates allows employees to set up authentication devices without IT intervention. For scenarios where self-service is unsuitable, vSEC:CMS offers help-desk on-behalf of users management. This streamlines onboarding, especially for remote/hybrid workforces, and eliminates the complexities of traditional self-enrollment methods.
• Advanced FIDO2 Enterprise Features: Versasec is at the forefront of FIDO2 innovation. We provide centralized management of FIDO2 devices with features like PIN unblock, Relying Party allow lists, and granular control over fingerprint enrollment. This level of control is crucial for enterprise deployment security.
• Seamless Microsoft Entra ID Integration: vSEC:CMS leverages the latest technology in Microsoft Entra ID, enabling organizations to reach the full potential of Microsoft’s identity platform.
• Comprehensive IAM: vSEC:CMS offers a single pane of glass for managing all logical and physical (access) authentication needs. It supports multiple authenticators, integrates with existing infrastructure (cloud and on-premises), and provides complete lifecycle management for identity credentials.

Impact:

• Increased Efficiency: vSEC:CMS drastically reduces IT overhead. For example, pre-registering a PKI or FIDO, or hybrid key with vSEC:CMS takes a tenth of the time compared to traditional enrollment. This efficiency gain is further amplified with batch issuance, integrations, and APIs.
• Enhanced Security: Our solution strengthens security by protecting enrollment, revocation, and recovery processes. Features like FIDO2 PIN unblock (5 mins vs. hours for manual complete reset and recovery) minimize downtime and mitigate risks associated with temporary replacements with weaker authentication methods.
• Compliance and Oversight: vSEC:CMS provides comprehensive audit trails and reporting, ensuring compliance with industry regulations and security policies, including NIS2 Directive, GDPR, ENISA, U.S. Executive Order 14028.

Addressing Trends:

Versasec is committed to supporting the global shift towards passwordless phishing-resistant authentication. Our robust PKI and FIDO2 implementation, coupled with identity providers, directly addresses the requirements of Executive Order 14028 and NIST Digital Identity Guidelines. By enabling organizations to adopt PKI, FIDO2 security keys and establish Zero Trust, Versasec creates a more secure digital landscape.

Versasec has more than 15 years of expertise in PKI and its with this expertise, we are committed to supporting the global shift toward passwordless phishing-resistant authentication.

“Finally, we can start deploying FIDO2 – this is what we have been waiting for!” – CISO in aeronautics.

KuppingerCole Analysts chose Versasec as one of the first 8 companies to spotlight as KC Rising Star in 2024. A research spotlighting innovation and market alignment in the IAM, digital identity, and cybersecurity.

In conclusion, Versasec products are ideal to:

• Comply with security regulations through high-level security and reduced effort.
  Improve user experience and oversight through IT on-behalf-of-user management, simplified self-service, and streamlined workflows.
• Utilize identity investments to their fullest potential for secure and efficient identity management.
• Satisfy customers’ unique identity needs with a flexible and adaptable solution.

Evaluation – Download Today!

Once downloaded and installed vSEC:CMS is ready for use in Evaluation Mode. During the evaluation, you can configure your environment with up to 10 licenses and your own use cases. Each license manages one credential. Additional licenses can be acquired as a subscription or by perpetual license. Please contact a Versasec reseller or Versasec directly to proceed.

Schedule a Demo

To enjoy the vSEC:CMS full feature set (including Self-Service, Virtual Smart Card, HSM support etc), schedule a demo with Versasec or contact your local Versasec reseller.

Scalability

The vSEC:CMS scales with your project. With the new load balancing capability, there is no upper limit!

Product Sheet

Download the vSEC:CMS product sheet here [pdf].

Videos

vSEC:CMS video content can be found here.

Integrability – APIs

The vSEC:CMS can be integrated and connected in many different ways, the drawing below is trying to visualize the most commonly used options.

Migrate to vSEC:CMS

vSEC:CMS includes upgrade wizards that enables quick and simple upgrade paths from third party credential management systems.

vSEC:CMS  includes upgrade wizards that enables quick and simple upgrade paths from third party credential management systems.

Check out the details on how to upgrade from:

• Read more about Thales SAM
• Read more about Microsoft MIM/FIM CM
• Read more about Gemalto DAS / IDAdmin 100

Resellers

The product can be purchased from authorized vSEC:CMS integrators and resellers, or directly from Versasec – contact Versasec to let us help you find the best way forward.