Smart Card Locked PIN Planning
Smart cards provide for strong authentication using an easy to remember PIN to authenticate a user. The use of smart cards can improve a user’s authentication experience and reduce Service Desk calls. Gaining these advantages requires planning. As part of planning to use YubiKeys as smart cards, it is important to address the potential scenario of a locked or forgotten PIN. Under normal usage, PINs are not required to have a change policy as they do not perform authentication to resources. PINs will become locked after a number of failed login attempts. A locked or forgotten PIN should not be a frequent event, but when it happens, it can be difficult for the user to recover quickly. A well thought out plan helps mitigate any login issues a user might encounter and allows the employee to return to work quickly.
The smart card industry has thought hard about the user experience and built accommodations into the standards for dealing with PIN lockout issues. The PIV (Personal Identification Verification) Standard that the YubiKey follows, uses a PIN Unlock Key (PUK) that is used to unlock the user’s PIN. Smart card management systems or individuals can leverage the PUK to unlock and reset a user’s PIN. Administrators should understand a few key terms used when discussing smart card management.
|PIN||A Personal Identification Number (PIN) is a set of characters used to unlock the smart card for use. The YubiKey supports numbers or letters as does the Windows operating system. Mac OS only supports numbers for PINs. The PIN is a secret the user should never share. A PIN is different from a password as a password is used for authentication to resources and is not bound to a physical device. A PIN is bound and used to unlock an authenticator. In Yubico’s case, the PIN resides on the YubiKey and unlocks the authenticator that uses public/private key encryption to perform authentication.|
|PUK||PIN Unblocking Key (PUK) is a code that is used by users or applications to reset a PIN that has been lost, forgotten, or locked because of too many failed attempts. The PUK is part of the PIV standard that the YubiKey follows.
Another smart card standard, (GIDS standard) leverages a challenge/response method to manage PIN issues. The YubiKeys do not follow the GIDS standard at this time.
|Management Key||The Management Key, sometimes called the Admin Key, is a code that allows applications to manage smart cards. It is used to manage certificates and other smart card management options.|
|CMS||Certificate Management System (CMS) is an application that provides administrative functions for smart cards. A CMS leverages the PUK and Management Key to manage smart cards. A CMS systems provide Administrators, the Service Desk, and end users the ability to manage smart cards including PIN unlock features. Third party CMS applications can be used to manage YubiKey smart cards. Additionally a company can develop their own CMS solution that leverages the libraries provided by Yubico to manage the smart cards on the YubiKeys..|
User PIN Lock Out
When working with the YubiKey as a smart card, by default, the PIN is locked after three unsuccessful attempts. In this case, the smart card is disabled until the user’s PIN is unlocked and the correct PIN value is entered. PINs are designed to be easily remembered but, on occasion, people forget their PIN or mistakenly enter the wrong PIN - this locks the PIN. Fortunately, there are a number of ways to resolve a smart card PIN lockout issue. Options exist for self-service resolution and for centralized management by support teams, such as the Service Desk. The options you choose will depend on the risk profile your company requires.
Unlocking a user’s PIN requires managing a PIN Unlock Key (PUK) that should be unique for every smart card. YubiKeys are shipped with a default PUK value. Setting a unique, non-default PUK must be one of the first actions an organization does when *initializing* the YubiKey smart card module if the ability to perform a PIN unlock is required. If the default PUK is not changed, entering the smart card PIN *via the YubiKey Minidriver* will permanently lock the PUK and make it unusable to manage the user’s PIN. This is a security feature of the YubiKey. Resetting the YubiKey smart card module returns it to the factory default state in which it was shipped from Yubico. Certificates and private keys are deleted, the PIN, PUK, Management Key, and all configuration options are returned to their default values. The attestation key and certificate are not removed as they are part of the default state.
There are various self-service options available.
Option 1 - Backup YubiKey
Providing each user a backup YubiKey resolves a number of issues from PIN lockout to inability to access systems due to a lost YubiKey. In general, providing each user two or more YubiKeys is a recommended best practices that reduces calls to the Service Desk and allows workers to remain productive. This option is available whether the worker is in the office or remote. This option does not resolve the issue of the primary YubiKey from being locked but allows the user to gain access to their computer and then use option 2 or option 3 to set a new PIN or reset the YubiKey’s smart card module.
Option 2 - PIN Unlock Key (PUK)
Smart cards are designed to have a static code specifically to unlock and reset the user’s PIN. On the login screen of computers that have the YubiKey Smart Card Minidriver installed, the user enters the PUK code that allows a new PIN code to be set. This option reduces calls to the Service Desk and allows workers to remain productive. This option is available whether the worker is in the office or remote.
Option 3 - Certificate Management System (CMS) Portal
A CMS portal may allow the user to reset the PIN and/or reset the YubiKey and install smart card certificates. The user needs to authenticate to the CMS system so this option should not rely solely on the primary YubiKey being available. Depending on the CMS solutions offering, potential methods to authenticate may include use of a secondary YubiKey, a temporary YubiKey, or reverting to username and password. The CMS Portal could be accessible from the user’s workstation or designated smart card station kiosk located within the company.
Support Team Options
There are various support team options available.
Support Team Option 1 - Open Source Libraries
Leveraging Yubico’s open source scripts and libraries, an organization can develop their own PIN Unlock management system. The libraries, among other features, provide the ability to set the PUK and unlock and reset the PIN. Companies can build systems to securely store the PUK, which the support team could use to unlock the user’s PIN.
Support Team Option 2 - Third-Party Certificate Management System (CMS)
A CMS system provides a number of features that manage the lifecycle of a smart card. These tools allow support teams to reset a user’s smart card PIN. The CMS system manages the PUK for every smart card so the support team or the user does not need to know it.
Most CMS tools provide a remote PIN unlock feature. In a typical scenario, the CMS system changes the computer’s login screen to display a challenge code. The user gives the challenge code to the support team which enters the code into their CMS Support portal. The portal returns a response code which is given to the user. The user enters the response code at the login screen to unlock the PIN. The user must then enter a new PIN.
CMS functionality varies by vendor so it is important to understand the system’s specific remote management capabilities and how they work with different operating systems and smart cards.
Support Team Option 3 - Smart Card Station
A smart card station allows a user and a support team member to do in-person validation and resolve issues such as unlocking a smart card user PIN. The station could use either the third-party CMS system or a custom solution.
Rolling out a successful smart card implementation centers around understanding the real world needs of your users, understanding your organization’s risk tolerance, and developing processes to meet those requirements. From a technical perspective, properly managing the PUKs on every YubiKey will allow for custom and third-party management systems to provide individuals and support teams the ability to quickly and securely unlock a user’s PIN so they can return to work.