Using Bluetooth for Entrust derived credential authentication on Windows
The PIV-D Manager app for iOS and the PIV-D Entrust app for Android support using an Entrust derived credential from an iOS or Android device to authenticate to a Windows 10 computer. This procedure is a convenient substitute to authenticating to a Windows computer by placing a smart card in a smart card reader attached to the workstation.
To use this authentication procedure, the Windows 10 computer must:
|
•
|
install an Entrust Smart Credential Dongle (necessary only when using iOS devices) |
|
•
|
install the Entrust IdentityGuard Bluetooth Smart Credential Reader application |
|
•
|
have smart card login enabled |
Using the PIV-D Manager app for iOS or PIV-D Entrust app for Android, the user activates an Entrust derived credential on the device. After a derived credential is activated:
|
•
|
The iOS user uses the PIV-D Manager app to pair the iOS device with the Windows 10 computer using Bluetooth. |
|
•
|
The Android user pairs the Android device with the Windows 10 computer using Bluetooth |
Once paired with the device, the Windows 10 computer has access to the derived credential on the device. The user can now:
|
•
|
Log into the Windows 10 computer by entering the derived credential PIN. |
|
•
|
Authenticate to protected websites from the Windows 10 computer by entering the smart card PIN. A protected website in this scenario is a website which the user normally authenticates to with a smart card. |
Related topics
About the derived credential PIN
When a device user activates an Entrust derived credential on a device, a PIN is associated with the derived credential. The device user enters this derived credential PIN when authenticating over Bluetooth with the derived credential to:
The derived credential PIN on iOS devices
On iOS devices running the PIV-D Manager app 2.2 through the most recently released version as supported by MobileIron, the device user sets the derived credential PIN when the derived credential is activated. Using options in the Settings > Entrust screen of the PIV-D Manager app for iOS, device users can later change the derived credential PIN, or reset it if they forgot it. Some device users find it convenient to set the derived credential PIN the same as the secure apps passcode.
The derived credential PIN has a minimum length of 4 digits and a maximum length of 8 digits. Only digits (0 - 9) are allowed.
|
NOTE:
|
Uf the device user has already activated a derived credential before upgrading to PIV-D Manager app 2.2, the user can find out what the derived credential PIN is by going to the Entrust IdentityGuard Self-Service Module. Alternatively, the device user can reset the derived credential PIN. |
The derived credential PIN on Android devices
On Android devices running the PIV-D Entrust app 1.3 through the most recently released version as supported by MobileIron, the device user sets the derived credential PIN when the derived credential is activated. Using options in the General Settings screen of the PIV-D Entrust app for Android, device users can later change the derived credential PIN, or reset it if they forgot it. Some device users find it convenient to set the derived credential PIN the same as the secure apps passcode.
The derived credential PIN has a minimum length of 4 digits and a maximum length of 8 digits. Only digits (0 - 9) are allowed.
|
NOTE:
|
If the device user has already activated a derived credential before upgrading from PIV-D Entrust app 1.2, the derived credential PIN is automatically set to the same PIN as the smart card PIN. The device user can then use the PIV-D Entrust app to change the derived credential PIN if desired. |
Related topics
Tasks for Windows authentication from an iOS device
To use an Entrust derived credential from an iOS device to authenticate to a Windows 10 computer using Bluetooth:
Providing the Entrust derived credential from an iOS device to a Windows computer over Bluetooth
Before you begin
|
1.
|
Activate an Entrust derived credential on your iOS device. |
See Setting up Entrust derived credentials during registration or Setting up Entrust derived credentials after registration.
|
2.
|
Enable smart card login on your Windows 10 computer. |
|
3.
|
Install the Entrust IdentityGuard Bluetooth Smart Credential Reader application on the Windows 10 computer. |
|
4.
|
Connect the Entrust Smart Credential Dongle to the Windows 10 computer. |
Procedure
|
1.
|
In Settings on the iOS device, enable Bluetooth. |
|
2.
|
Launch the PIV-D Manager app. |
If prompted, enter the AppConnect passcode or AppConnect biometric authentication.
|
3.
|
Tap Entrust IdentityGuard. |
The Entrust IdentityGuard screen displays.
|
4.
|
Tap Add Bluetooth device. |
All available, unconnected Bluetooth devices are displayed.
|
5.
|
Tap on the entry for the Windows 10 computer. |
The Bluetooth pairing code displays.
|
6.
|
Enter the Bluetooth pairing code on the display that appears on the Windows 10 computer. You have limited time to enter the pairing code. |
When the iOS device has accepted the pairing, the Windows dialog indicates success.
|
7.
|
Click Close on the Windows dialog. |
You can now use the Entrust derived credential on the iOS device for authenticating to the Windows 10 computer. You can also use it to authenticate to protected websites from the Windows 10 computer. For these authentications to succeed, the Bluetooth pairing must remain connected.
Authenticating to a Windows computer with an Entrust derived credential from an iOS device using Bluetooth
After you have completed the steps in Providing the Entrust derived credential from an iOS device to a Windows computer over Bluetooth, you can use the derived credential to authenticate to the Windows 10 computer, instead of authenticating with a smart card.
Procedure
|
1.
|
On the Windows 10 computer, select the option to login with a smart card. |
|
2.
|
When prompted by the Windows 10 computer, enter your derived credential PIN. |
After entering the derived credential PIN, you are logged into the Windows 10 computer.
Related topics
About the derived credential PIN
Authenticating to protected websites with an Entrust derived credential from an iOS device using Bluetooth
After you have completed the steps in Providing the Entrust derived credential from an iOS device to a Windows computer over Bluetooth, you can use the derived credential to authenticate to protected websites, instead of authenticating with a smart card. A protected website in this scenario is one that you can authenticate to with a smart card.
Before you begin
Complete the steps in Providing the Entrust derived credential from an iOS device to a Windows computer over Bluetooth. Note that the Bluetooth connection must still be active for you to authenticate to protected websites with the Entrust derived credential.
Procedure
|
1.
|
On the Windows computer, navigate to a protected website in a browser and follow the instructions to login to the website. |
Windows displays a dialog for you to choose the appropriate certificate.
|
2.
|
Select the certificate for which the serial number corresponds to the derived credential from the iOS device. |
To know which certificate to select, view the serial number on the iOS device in the PIV-D Manager in the Entrust IdentityGuard screen. The identity is displayed under Current Identity.
|
3.
|
Click OK on the Windows display after you have selected the correct certificate. |
|
4.
|
When prompted by the Windows computer, enter your derived credential PIN. |
After entering the derived credential PIN, you are logged into the protected website.
Related topics
About the derived credential PIN
Tearing down the Bluetooth connection with an iOS device
Only one iOS device can be paired with a Windows 10 computer for the purpose of giving the Windows computer access to the Entrust derived credential.
The following procedure describes how to tear down a Bluetooth connection.
Procedure
|
1.
|
On the iOS device, launch the PIV-D Manager app. |
If prompted, enter the AppConnect passcode or AppConnect biometric authentication.
|
2.
|
In the Entrust IdentityGuard screen, tap on the information icon next to the name of the connected Windows computer. |
|
3.
|
Tap Forget this device. |
|
6.
|
Tap the name of the Windows computer. |
|
7.
|
Tap Forget This Device. |
|
8.
|
On the Windows computer, open the Manage Bluetooth Smart Credential Dongle app. |
|
9.
|
Select the iOS device. |
Changing the derived credential PIN on iOS devices
When you use a derived credential to authenticate from an iOS device over Bluetooth to a Windows 10 computer or protected website, the Windows 10 computer prompts you for your derived credential PIN. You can change your derived credential PIN.
Procedure
|
1.
|
On the iOS device, launch the PIV-D Manager app.
|
If prompted, enter the secure apps passcode or biometric authentication.
|
2.
|
Select the settings icon in the upper right corner of the screen. |
The Settings screen displays.
|
5.
|
Enter your current derived credential PIN, your new derived credential PIN, and reenter your derived credential PIN. |
The derived credential PIN has changed. The app returns to the Settings screen.
|
7.
|
Tap Done to exit Settings. |
Related topics
About the derived credential PIN
Resetting the derived credential PIN on iOS devices
When you use a derived credential to authenticate from an iOS device over Bluetooth to a Windows 10 computer or protected website, the Windows 10 computer prompts you for your derived credential PIN. You can reset your derived credential PIN if you forget it.
Procedure
|
1.
|
On the iOS device, launch the PIV-D Manager app.
|
If prompted, enter the secure apps passcode or biometric authentication.
|
2.
|
Select the settings icon in the upper right corner of the screen. |
The Settings screen displays.
The resulting screen displays the Unblock Challenge which you will use in a later step. It also displays the steps you will take.
|
5.
|
Connect a smart card reader, with a smart card inserted, to a desktop computer. |
|
6.
|
On the desktop computer, open a browser and enter the https:// URL for your Entrust self-service portal. |
|
7.
|
Log in to the portal with the smart card certificate. |
|
8.
|
When prompted, enter the PIN for the smart card. |
|
9.
|
Click I'd like to unlock my smart credential. |
|
10.
|
Select the device that you want to unlock and click Yes. |
|
11.
|
Select Windows 7 PIN Unblock, regardless of your Windows operating system, and click Next. |
Do not select Card Unblocking Key.
|
12.
|
In the Challenge field, enter the Unblock Challenge displayed in the PIV-D Manager app. |
The Entrust IdentityGuard SSM Module displays an unblock response code.
|
14.
|
In the PIV-D Manager app on the device, tap Next. |
|
15.
|
Enter the unblock response code in the Unblock Response field. |
|
NOTE:
|
The unblock response code you enter in the PIV-D Manager app is not case sensitive and can have spaces in it. |
|
16.
|
Enter a new derived credential PIN and reenter it to confirm it. |
The derived credential PIN has been reset. The app returns to the Settings screen.
|
18.
|
Tap Done to exit Settings. |
Related topics
About the derived credential PIN
Reconnecting Bluetooth connection automatically on iOS devices
When a device user has authenticated to a Windows 10 computer with a derived credential using Bluetooth, the Bluetooth connection drops when the user leaves the room with only her iOS device. The user can configure the PIV-D Manager app to automatically re-establish the connection when the device and Windows 10 computer are again within Bluetooth range. This setting is enabled by default.
Some other scenarios that cause the PIV-D Manager to automatically re-establish the connection are:
|
•
|
The device user turns the laptop off and on. |
|
•
|
The device user puts the iOS device in and then out of airplane mode. |
Note The Following:
|
•
|
Automatically re-establishing the connection occurs only for the most recent Windows 10 computer that the device user authenticated to using Bluetooth. |
|
•
|
Automatically re-establishing the connection does not occur if the device user manually tears down the Bluetooth connection.
|
Procedure
|
1.
|
On the iOS device, launch the PIV-D Manager app.
|
If prompted, enter the secure apps passcode or biometric authentication.
|
2.
|
Select the settings icon in the upper right corner of the screen. |
|
4.
|
Select Entrust > Bluetooth - Auto Re-Connect to enable automatic reconnection. Unselect the option to disable automatic reconnection. |
Tasks for Windows authentication from an Android device
To use an Entrust derived credential from an Android device to authenticate to a Windows 10 computer using Bluetooth:
Setting up Bluetooth for Entrust derived credential authentication from an Android device to a Windows computer
Before you begin
|
1.
|
Activate an Entrust derived credential on your Android device. |
See Setting up Entrust derived credentials during registration or Setting up Entrust derived credentials after registration.
|
2.
|
Make sure you know your derived credential PIN, which you set when you activated the derived credential. The derived credential PIN is not necessarily the same as the smart card PIN. |
|
3.
|
Enable smart card login on your Windows 10 computer. |
|
4.
|
Install the Entrust IdentityGuard Bluetooth Smart Credential Reader application on the Windows 10 computer. |
|
5.
|
Enable smart card login on your Windows 10 computer. |
|
6.
|
Enable Bluetooth on the Windows 10 computer. |
|
NOTE:
|
No physical dongle is used on the Windows 10 computer. |
Procedure
|
1.
|
Launch the PIV-D Entrust app on the Android device. |
If prompted, enter the secure apps passcode or biometric authentication.
The app displays the active derived credential.
|
2.
|
Tap the Bluetooth icon. |
A pop-up displays instructing you to enable Bluetooth in device settings.
|
3.
|
Tap Settings in the pop-up. |
The settings screen for Bluetooth displays.
Available devices for Bluetooth pairing display.
|
5.
|
Tap the Windows 10 computer to pair with. |
|
6.
|
Tap OK in the pop-up to confirm the pairing request. |
|
7.
|
Confirm the pairing request on the Windows 10 computer |
|
8.
|
Click Close on the Windows dialog. |
The PIV-D Entrust app displays the pairing.
Once paired, you are ready to use the Entrust derived credential on the Android device for authenticating to the Windows 10 computer. You can also use it to authenticate to protected websites from the Windows computer. For these authentications to succeed, the Bluetooth pairing must remain active.
Authenticating to a Windows computer with an Entrust derived credential from an Android device using Bluetooth
After you have completed the steps in Setting up Bluetooth for Entrust derived credential authentication from an Android device to a Windows computer, you can use the derived credential to authenticate to the Windows 10 computer, instead of authenticating with a smart card.
Procedure
|
1.
|
On the Windows 10 computer, select the option to login with a smart card. |
|
2.
|
Launch the PIV-D Entrust app on your Android device. |
If prompted, enter the secure apps passcode or biometric authentication.
The app displays the Active Credentials screen.
|
3.
|
Tap the Bluetooth icon. |
|
4.
|
Tap the paired device corresponding to the Windows 10 computer. |
A pop-up displays asking if you want to connect with the Windows 10 computer to share the current derived credential.
|
NOTE:
|
If you were already connected to another Windows 10 computer, that computer is disconnected and its entry changes back to paired. |
|
6.
|
When prompted by the Windows 10 computer, enter your derived credential PIN. |
You are now logged into the Windows computer.
The entry for the Windows 10 computer now indicates the computer is connected instead of paired. If you logout of the Windows 10 computer, you can login again by re-entering your derived credential PIN.
When connected, the Windows computer can access the derived credential, so you can now also use the derived credential to authenticate to protected websites from the Windows computer.
Authenticating to protected websites with an Entrust derived credential from an Android device using Bluetooth
After you have completed the steps in Authenticating to a Windows computer with an Entrust derived credential from an Android device using Bluetooth, you can use the derived credential to authenticate to protected websites, instead of authenticating with a smart card. A protected website in this scenario is one that you can authenticate to with a smart card.
Before you begin
Complete the steps in Authenticating to a Windows computer with an Entrust derived credential from an Android device using Bluetooth. Note that the Bluetooth entry for the Windows 10 computer in the PIV-D Entrust app must display Connected. When connected (not simply Paired), the Android device can share the derived credential with the Windows 10 computer.
Procedure
|
1.
|
On the Windows 10 computer, navigate to a protected website in a browser and follow the instructions to login to the website. |
Windows displays a dialog for you to choose the appropriate certificate.
|
2.
|
Select the certificate for which the serial number corresponds to the derived credential from the Android device. |
|
3.
|
Click OK on the Windows display after you have selected the correct certificate. |
|
4.
|
When prompted by the Windows 10 computer, enter your derived credential PIN. |
You are now logged into the protected website.
Related topics
About the derived credential PIN
Stop sharing the derived credential from an Android device using Bluetooth
The following procedure describes how to stop sharing the derived credential using a Bluetooth connection.
Procedure
|
1.
|
On the Android device, launch the PIV-D Entrust app.
|
If prompted, enter the secure apps passcode or biometric authentication.
|
2.
|
Navigate to the screen that displays the Bluetooth pairings.
|
|
3.
|
Tap the entry for a Windows 10 computer that is connected. |
A pop-up displays asking if you want to disconnect the Windows computer to stop sharing the derived credential
The entry for the Windows 10 computer now indicates the computer is paired instead of connected. You can no longer use the derived credential on the Windows computer.
Changing the derived credential PIN on Android devices
When you use a derived credential to authenticate from an Android device over Bluetooth to a Windows 10 computer or protected website, the Windows 10 computer prompts you for your derived credential PIN. You can change your derived credential PIN.
Procedure
|
1.
|
On the Android device, launch the PIV-D Entrust app.
|
If prompted, enter the secure apps passcode or biometric authentication.
|
2.
|
Select the settings icon in the upper right corner of the screen. |
|
3.
|
Select General Settings > Change Derived Credential PIN. |
|
4.
|
Enter your current derived credential PIN, your new derived credential PIN, and reenter your derived credential PIN. |
Related topics
About the derived credential PIN
Resetting the derived credential PIN on Android devices
When you use a derived credential to authenticate from an Android device over Bluetooth to a Windows 10 computer or protected website, the Windows 10 computer prompts you for your derived credential PIN. You can reset your derived credential PIN if you forget it.
Procedure
|
1.
|
On the Android device, launch the PIV-D Entrust app.
|
If prompted, enter the secure apps passcode or biometric authentication.
|
2.
|
Select the settings icon in the upper right corner of the screen. |
|
3.
|
Select General Settings > Reset Derived Credential PIN. |
This screen displays the Unblock Challenge which you will use in a later step. It also displays the steps you will take.
|
4.
|
Connect a smart card reader, with a smart card inserted, to a desktop computer. |
|
5.
|
On the desktop computer, open a browser and enter the https:// URL for your Entrust self-service portal. |
|
6.
|
Log in to the portal with the smart card certificate. |
|
7.
|
When prompted, enter the PIN for the smart card. |
|
8.
|
Click I'd like to unlock my smart credential. |
|
9.
|
Select the device that you want to unlock and click Yes. |
|
10.
|
Select the type of unlock key based on your Windows operating system and click Next. |
Do not select Card Unblocking Key.
|
11.
|
In the Challenge field, enter the Unblock Challenge displayed in the PIV-D Entrust app. |
|
NOTE:
|
The unblock response code you enter in the PIV-D Entrust app is not case sensitive and can have spaces in it. |
The Entrust IdentityGuard SSM Module displays an unblock response code.
|
13.
|
In the PIV-D Entrust app on the device, tap Next. |
|
14.
|
Enter the unblock response code in the Unblock Response field. |
|
15.
|
Enter a new derived credential PIN and reenter it to confirm it. |
Related topics
About the derived credential PIN
Reconnecting Bluetooth connection automatically on Android devices
When a device user has authenticated to a Windows 10 computer with a derived credential using Bluetooth, the Bluetooth connection drops when the user leaves the room with only her Android device. The user can configure the PIV-D Entrust app to automatically re-establish the connection when the device and Windows 10 computer are again within Bluetooth range. This setting is enabled by default.
Procedure
|
1.
|
On the Android device, launch the PIV-D Entrust app.
|
If prompted, enter the secure apps passcode or biometric authentication.
|
2.
|
Select the settings icon in the upper right corner of the screen. |
|
3.
|
Select General Settings > Bluetooth - Auto reconnect to avoid manually connecting to Bluetooth to enable automatic reconnection. Unselect the option to disable automatic reconnection. |