EasyManua.ls Logo

Swissbit iShield FIDO2 - User Manual

Default Icon
69 pages
Save Page as PDF
Print Icon
To Next Page IconTo Next Page
To Next Page IconTo Next Page
Loading...
User Manual
Swissbit iShield Key
iShield Key FIDO2 [USB-A/NFC]
iShield Key Pro [USB-A/NFC]
Date: 10 March 2023
Document Version: 1.0.0
V
e
r
s
i
o
n
:
2
.
5

Table of Contents

Question and Answer IconNeed help?

Do you have a question about the Swissbit iShield FIDO2 and is the answer not in the manual?

Overview

  1. Function Description
  2. Important Technical Specifications
  3. Usage Features
  4. Maintenance Features

The Swissbit iShield Key is a security key designed for strong authentication, offering a simple, secure, and flexible solution to protect users against online attacks such as phishing, social engineering, and account takeover. The product line includes the iShield Key FIDO2 [USB-A/NFC] and the iShield Key Pro [USB-A/NFC]. While the iShield Key FIDO2 is equipped solely with the FIDO2 applet, the iShield Key Pro features FIDO2, HOTP, and PIV applets, supporting a wider range of use cases. Both keys are FIDO-certified, plug-and-play devices that comply with FIDO2 and U2F standards.

Function Description:

The iShield Key provides robust hardware authentication for accessing websites, applications, online services, and company networks, including platforms like Google, Microsoft, Salesforce, and Amazon Web Services.

  • FIDO2 Functionality (Standard): This is the core functionality for both iShield Key FIDO2 and iShield Key Pro. It enables strong authentication for online accounts by generating public/private key pairs on the hardware authenticator. During registration, the user authenticates via a PIN and a physical touch of the security key, and the public key is sent to the server. For login, the online service challenges the user to sign with their private key, and successful verification grants access. This process is compatible with Windows 10, MacOS, Linux, Chrome OS, Android, and various browsers including Firefox, MS Edge, Chrome, and Apple Safari.
  • HOTP Applications (iShield Key Pro only): The iShield Key Pro includes an HMAC-based One-Time Password (HOTP) slot, which is useful for two-factor authentication on services that do not support WebAuthn compliant FIDO2 security keys (e.g., VPN access). It implements touch-triggered HOTP generation using the RFC 4226 algorithm. The key generates a six or eight-digit human-readable password, and the internal counter increments after each computation, ensuring each password is used only once.
  • PIV Applications (iShield Key Pro only): The iShield Key Pro can function as a Personal Identification and Verification (PIV) device on Windows. It offers different slots to store and provide various certificates for use cases such as Windows Logon (local or Active Directory domain accounts) and Bitlocker drive encryption. The PIV applet stores certificates and corresponding public/private key pairs in standard slots (9A, 9C, 9D, 9E) and 20 retired slots (82-95).
    • Windows Logon: Enables more secure logon based on a PKI hardware token instead of a password. The user plugs in the iShield Key Pro and provides a short PIN.
    • Bitlocker: Allows encryption and decryption of data drives using certificates stored on the iShield Key Pro. For higher security, users need to insert the smartcard with the corresponding encryption certificate and provide its PIN to access data.
    • Active Directory Domain Accounts: Supports integration within a domain infrastructure, where a central domain server manages users, workstations, and certificates. This is suitable for large organizations to manage employee accounts and machines.

Important Technical Specifications:

  • Applets:
    • iShield Key FIDO2: FIDO2 applet only.
    • iShield Key Pro: FIDO2, HOTP, and PIV applets.
  • Connectivity: USB-A/NFC.
  • FIDO2 Standards: FIDO2 and U2F.
  • HOTP Algorithm: HMAC-based RFC 4226.
  • HOTP Password Length: Configurable to 6 or 8 digits (default 6).
  • PIV Certificate Slots: Four standard PIV slots (9A, 9C, 9D, 9E) and 20 retired slots (82-95).
    • Slot 9A: User Authentication (e.g., Smartcard Logon).
    • Slot 9C: Digital Signature (e.g., email signing).
    • Slot 9D: Encryption (e.g., Drive Encryption using Bitlocker).
    • Slot 9E: Card Authentication (e.g., Physical Access).
  • PIV PIN Policy: Slots 9A, 9C, 9D require PIN for private key operations. Slot 9E does not require PIN for private key operations.
  • Supported OS for FIDO2: Windows 10, MacOS, Linux, Chrome OS, Android.
  • Supported Browsers for FIDO2: Firefox, MS Edge, Chrome, Apple Safari.
  • Supported OS for PIV (iShield Key Pro): Windows 10 Pro (Home editions do not support Bitlocker or Domain Account support).
  • Supported Server Infrastructure for PIV (iShield Key Pro): Windows Server 2019 (for Active Directory setup).

Usage Features:

  • Plug-and-Play: Both keys are designed for easy integration without extensive installation efforts.
  • PIN Management: Users can set up, change, or reset their security PIN for FIDO2 and PIV functionalities through Windows 10 security key management or the iKMcli tool.
  • Touch Authentication: A physical touch of the security key is required for FIDO2 operations to confirm human presence.
  • Online Service Registration: Detailed guides are provided for registering the iShield Key with various online services like Microsoft accounts, Bitbucket, Github, and Amazon Web Services (AWS) for 2FA or passwordless sign-in.
  • HOTP Configuration: The iKMcli command-line tool allows users to set the secret key, initial counter value, and OTP length for HOTP applications.
  • PIV Management: The iKMcli tool facilitates changing PIN, PUK, and management key for PIV operations, listing certificates, deleting certificates by slot number, and resetting the smartcard to factory defaults.
  • Bitlocker Integration: The iShield Key Pro can be used to encrypt data drives with self-signed certificates (for local accounts) or domain CA issued certificates (for Active Directory).
  • Smartcard Logon: Enables Windows logon using the iShield Key Pro and a PIN, providing a more secure and convenient alternative to passwords.

Maintenance Features:

  • PIN Reset: The security PIN can be reset if lost or forgotten, though this will remove associated credentials.
  • HOTP Counter Resynchronization: In cases where the token and server counters lose synchronization (e.g., due to multiple touches without authentication), the server can be configured with a "look-ahead" parameter to allow for a certain tolerance, and successful authentication resynchronizes the counters.
  • PIV Smartcard Reset: If both PIN and PUK are blocked, the iShield Key Pro can be reset using the iKMcli tool, which erases all PIV data and restores default settings.
  • OpenSC Minidriver and iShield PIV Module: For PIV administration and writing certificates to the smartcard, the OpenSC Minidriver, extended by the Swissbit iShield PIV Module, is required. This installation ensures full read/write access and proper functioning of PIV features.
  • Management Key: A management key is used to authenticate administrative operations for PIV, such as key import, certificate generation/deletion, or writing PIV data to the card. It can be changed using the iKMcli tool.
  • Troubleshooting: The manual provides guidance for common issues, such as the smartcard being read-only or an "internal consistency check failed" error, often related to incorrect OpenSC minidriver installation or misconfiguration.

Swissbit iShield FIDO2 Specifications

General IconGeneral
BrandSwissbit
ModeliShield FIDO2
CategoryNetwork Hardware
LanguageEnglish