PIV and Security Device
Some of the authentication devices we offer, such as YubiKey, have multiple functions in a single key and can be used in a variety of ways.
This article introduces one of these functions, PIV.
What is PIV?
Recently, various IC cards (smart cards) have become popular in the world, and many people are taking advantage of them. Bank ATM cards and prepaid transportation cards, to name a few. In other companies, we often hear that the employee ID card is an IC card, which itself also serves as an entrance pass.
There are several standards for these IC cards, and one of the major ones is the PIV standard. It stands for Personal Identity Verification. Originally a standard set by the U.S. government, it has become widely used in commercial applications due to its high assurance as proof of identity and its convenience in being used for multi-factor authentication (MFA).
PIV allows for the following
Device Type
Although the PIV system has these various functions, it is not necessarily an IC card-only standard; there are also USB devices that meet the standard.
Security devices that PIVs can handle include,
- YubiKey by Yubico
- iShield Key Pro by Swissbit
- IdemKey Plus by GoTrust
YubiKey, iShield Key Pro, IdemKey
When using IC cards in a company, it is sufficient to install a card reader at the entrance if the card is only used as an entrance pass. However, if each employee has his or her own PC, and if IC cards are also used for authentication at login, many card readers will be required, which will further increase the cost of installation. In such cases, USB devices are very effective authentication devices because they do not require an additional card reader and are more portable.
Please contact us from the link below for various devices.
Examples of PIV Usage
The PIV function allows users to log on to PCs connected to Microsoft Active Directory, encrypt files using BitLocker, and more.
In this section, we would like to briefly introduce an example of PIV function, how to log on to a PC connected to Active Directory using YubiKey's PIV function (smart card logon).
First, Windows Active Directory Service and Active Directory Certificate Service are required to create a smart card logon environment.
The administrator must configure the certificate settings to enable smart card logon on the Windows Server running the CA. After that, each user will be able to perform smart card logon by registering the certificate to YubiKey by himself/herself.
If a user inserts the YubiKey at the logon screen, the user ID is identified and the user can log on by entering the PIN set in the YubiKey.
Please check the manual for more information.
Multi-factor authentication is achieved by combining the "possession information" of the user's security device with the "knowledge information" of the PIN set on that device. Smart card authentication allows for more secure authentication using "smart cards" and PINs without sacrificing the benefits of Active Directory authority management.
When introducing smart card authentication to an organization, if an administrator wants to register users on their behalf without requiring them to do so, it is expected to be quite a difficult task if the number of security devices is large, since the administrator will have to go through the process of enrolling each user. We have prepared an application for batch registration to reduce this cumbersome process, so please contact us if you are interested.
Summary
Thus, PIV has strong security, high versatility, and ease of use as an MFA option, making it widely used by governments and corporations. Smart cards with PIV functionality exist in card and key types, but even greater convenience is provided by using USB devices that do not require a card reader to authenticate to the system.
Our YubiOn service provides multi-factor authentication similar to PIV authentication. Besides, it is possible to manage authentication devices via a web console and control logon to terminals using authentication devices.
In addition, while smart card logon using PIV requires an Active Directory environment, our service has the advantage of working outside of an AD environment. If you are considering using PIV authentication, please consider using our YubiOn service.