Cryptographically Secure Proximity Cards

This topic describes how to configure Imprivata Enterprise Access Management to support cryptographically secure authentication using proximity cards with the MIFARE DESFire EV3 protocol.

This feature extends proximity card authentication by leveraging secure and encrypted card communication. It allows customers to meet stricter authentication security regulations and strengthens the Enterprise Access Management security posture.

NOTE:

For more information on support limitation, see Supported Components.

Configure Cryptographically Secure Proximity Card Authentication

To configure cryptographically secure proximity card authentication, follow these three steps:

  1. In the Imprivata Admin Console, go to Users > User policies.

  2. Select the user policy you want to configure to support cryptographically secure proximity card authentication.

  3. Enable Proximity Card.

Add a DESFire master key only if your organization issues cards with non-default master keys. If the cards use the default master key (all zeros), you can skip this step.

  1. In the Imprivata Admin Console, go to the gear icon > Settings page > Proximity cards section.

  2. Enter the master key(s) in the required format:

    • One key per line.

    • Each key must be 16, 32, or 48 hexadecimal digits.

  3. Click Save.

IMPORTANT:

If the key is incorrectly formatted, an error will be displayed, and the key will not be saved.

  1. In the Imprivata Admin Console, go to Computers > Computer policies.

  2. Select the computer policy.

  3. In the Card Readers section, enable Require use of cryptographically secure contactless smart cards.

  4. Click Save.

This ensures that endpoints enforce strong authentication and accept only cryptographically secure proximity cards that use secure encrypted communication.

Enrolling Cryptographically Secure Proximity Card

Users must enroll their cryptographically secure proximity card before using it for authentication. Enrollment is supported both before desktop login and after desktop login.

Users can enroll their cryptographically secure proximity card in two ways. If the card isn’t enrolled, they can simply tap and hold it on the reader. The system detects the unregistered card and prompts them to complete the enrollment automatically.

Alternatively, users can enroll the card manually:

  1. At the pre-login enrollment window, enter their username and password.

  2. Select Enroll a new badge.

  3. Tap and hold their cryptographically secure proximity card on the reader.

  4. Enrollment completes automatically.

  1. Launch the Enrollment Utility.

  2. Select Enroll a new badge.

  3. Tap and hold their cryptographically secure proximity card on the reader.

  4. Enrollment completes automatically.

Authentication workflow

Once enrolled, users can authenticate by simply tapping and holding their cryptographically secure proximity card on a supported reader.

Combined FIDO2/DESFire Badges

Badges that combine both FIDO2 and DESFire technologies cannot operate simultaneously in the system. The system prioritizes FIDO2 by default.

  • Combined badges operate as FIDO2 without additional configuration.

  • To use the badge as a DESFire proximity card, disable FIDO2 completely on the endpoint:

    1. Rename the FactoryLoadID registry key in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\DeviceManager\Devices\Fido2\Providers\ScardAPI.

    2. Restart the endpoint.

IMPORTANT:

Disabling FIDO2 through this process affects the entire endpoint and all readers. To restore FIDO2 functionality, revert the FactoryLoadID registry key to its original name and restart the endpoint.