Flexible PKard Reader and elegant Tactivo bring smart card authentication to your favorite mobile device
BYOD becomes a bit more complicated when you work in an environment that requires stronger forms of authentication than a username and password combination. A close inspection of the iPhone or iPad reveals neither a fingerprint sensor nor a smart card reader, for example. Fortunately, vendors such as Thursby Software and Precise Biometrics have rushed in to fill the void.
Thursby Software's PKard Reader and Precise Biometrics' Tactivo support the major standard smart card formats including the CAC (Common Access Card) used by the U.S. military and DOD (Department of Defense). I tested the products by using an iPhone 4S and an iPad 2, both running iOS 6.1, to access a number of military and DOD websites that require CAC authentication.
Apr 17, 2012 PKard Reader now supports full screen browsing and hiding the toolbar. An issue with named tabs and form targets was fixed. An issue where touching a button on certain pages could result in a blank page appearing was fixed. Enhancing Security. Simplifying Lives. Thursby Software HQ 4901 South Collins Street Arlington, TX 76018 USA thursby.com Technical or sales support by a real. Mar 30, 2013 ** IMPORTANT ** PKard® for Good is a special version of the PKard Reader secure browser app that is designed exclusively for iPad and iPhone. Thursby said the development of PKard Reader and its Mac CAC software leveraged the company's PKard Toolkit 2.0 SDK. Not simply an SDK to access the “chip” on a CAC/PIV card, but an entire.
[ Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 29-page 'Mobile and BYOD Deep Dive' PDF special report. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]
Until the PKard Reader and Tactivo devices arrived for the iPhone and iPad, military and DOD personnel had to use either a PC or Mac to remotely access CAC-secured sites, even for Webmail, travel, and unclassified administrative tasks. As prices fall, these workers will be sorely tempted to buy one of these readers -- and so will many iPhone and iPad users in private sector companies that require smart card authentication.
Common capabilities and limitationsThursby's PKard Reader and Precise Biometrics' Tactivo worked as advertised, allowing me to successfully check email on both the Navy Marine Corps Email and the Army Email AKO sites.
Note, however, that the Safari browser on the iPhone and iPad does not support smart card authentication. In order to facilitate browsing of websites that authenticate using smart cards or CACs, Thursby's PKard Reader and Precise Biometrics' Tactivo both include Thursby's free PKard Reader app. (Military and DOD and government personnel will like that the PKard Reader app lets you bookmark commonly used CAC-required sites, organized in service favorite folders such as Navy Sites, Army Sites, Air Force Sites, DOD Sites, Marine Corps Sites, Coast Guard, and Federal Government.)
It can be difficult to use Webmail on the iPhone (less so on the iPad) due to the limited screen real estate. It would be preferable to use the regular email app, but this is not an option provided by the DOD today, as it would require the DOD to provide a VPN mail service server. While the PKard Reader and Tactivo devices are capable of supporting direct access to mail servers, I was only able to test access to Webmail in my environment. Potential buyers in the military and government should be aware they'll be restricted to using iOS-compatible Webmail and Web apps only.
All potential buyers should note that the PKard Reader app does not overcome other limitations of Apple's Safari browser. Smart card or CAC-secured websites that employ technologies such as Flash or Java that work fine on a full PC will not work on an iPhone or iPad -- with or without the PKard Reader app. The Defense Travel System (DTS) is an example of this limitation. DTS simply will not work due to the fact that its designers did not plan for iOS compatibility. For users of DOD websites, it's Webmail only and no mobile travel planning for now.
This of course is not the fault of the PKard Reader or Tactivo, but a limitation of iOS and the result of unfortunate website design decisions. DOD sites were designed for the PC, and they may be clunky to use on an iPhone or iPad. As the DOD gets onboard with mobile users surfing its websites, we can only hope that the websites will become less reliant on Flash and Java and more in tune with HTML5 and smaller screen sizes.
Another problem with the DOD's CAC-authenticated websites is that error messages are poor or nonexistent. Logging in to a website will require either the email certificate or the identity certificate. If you enter the wrong one, you will get a nondescript error such as 'This page cannot be displayed.' Your browser's cache will be corrupted. Refreshing the website will not work. You will have to restart the application and retry the URL, selecting the other certificate to get it to work. The problem is that some DOD websites use the identity certificate and others use the email certificate. If you choose the wrong one, you have to kill the application and try again. Again, it's not the fault of the PKard Reader or Tactivo -- it's just bad DOD design.
Tactivo: More elegant, less flexiblePrecise Biometrics' Tactivo is designed as a case for the iPhone or iPad, so there are separate models for each. It is very stylish and fits both iOS devices like a glove. The smart card or CAC slides unobtrusively behind the iPad and iPhone, making for comfortable use. The big advantage of the Tactivo, besides its less obtrusive form factor, is its fingerprint reader, which you could use with several free apps to protect files, photos, and passwords with fingerprint authentication. There's also a software development kit you can use to take advantage of this biometric security protection for various authentication applications.
There are a couple of downsides to the Tactivo. First, if you use both an iPad and an iPhone, you'll need to buy two Tactivo devices. Second, the Tactivo is currently available only for the older iPhone 4/4S and iPad models with the 30-pin connector. Precise Biometrics expects to have Lightning-compatible versions of the Tactivo for the iPhone 5 and new iPad models soon. Given that the Tactivo is an enclosure, the Apple Lightning to 30-pin Adapter of course will not work. If you eventually upgrade from an old 30-pin iPhone or iPad to a new Lightning-equipped iPhone or iPad, you'll need to buy a new Tactivo as well.
The Tactivo for the 30-pin iPhone retails for $249, and the Tactivo for the 30-pin iPad retails for $299. A video demo of the Tactivo product can be found on YouTube.
PKard Reader: Less elegant, more flexibleThursby's PKard Reader is not as stylish as the Tactivo, nor does it include a fingerprint reader. But unlike the Tactivo, the PKard Reader has the ability to work on both the iPhone and iPad. It's currently available for the 30-pin models, but also works with Apple's Lightning to 30-pin Adapter to connect to the newer iPhones and iPads. (Thursby plans to sell a Lightning version of the PKard Reader in the future.)
The PKard Reader is not as easy to handle as the Tactivo, as both the card reader and the smart card hang from the bottom of the iPhone or iPad. I was afraid that if I wasn't careful, I could damage the reader by accidently breaking it off. With the Tactivo, I felt much more comfortable using my iPhone with one hand. With the PKard Reader, I was definitely using two hands. Plus, the PKard Reader is yet another accessory to remember and carry with you. All that said, the PKard Reader is quite usable -- and the same reader works with your iPhone or iPad.
The 30-pin version of the PKard Reader retails for $149.99 in black or white. For an additional $10, Thursby will sell you a Lightning adapter. A video demo of the PKard Reader is also available.
Which smart card reader should you buy? I would give a slight edge to Thursby's PKard Reader, mainly because of the price. Although the Tactivo is easier to use and includes the fingerprint reader, it's too expensive for my taste -- especially considering you have to buy two different models for the iPhone and the iPad. Paying $249 for the iPhone version and $299 for the iPad version is a lot of money. If you really want both the fingerprint reader and the smart card reader, and money is no object (say, your boss is paying for it), get the Tactivo. Overall, though, the $149.99 PKard Reader is a better value, as it can work with any iOS device for roughly half the cost.
Whether you choose the PKard Reader or the Tactivo, you get a solid smart card reader that brings effective two-factor authentication to your iOS device.
This article, 'Review: Smart card readers for the iPhone and iPad,' was originally published at InfoWorld.com. Follow the latest developments in mobile technology at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.
Read more about mobile technology in InfoWorld's Mobile Technology Channel.
This story, 'Smart card readers for the iPhone and iPad' was originally published by InfoWorld.
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
20 Oct 2014 Using PIV smart cards with Mac OS X 10.10 Yosemite
Posted at 16:06h in Employee Posts, Tech Notes11 Comments
Using PIV smart cards for HHS VPN login with Mac OS X 10.10 Yosemite
Note: This entire post is basically google search bait designed to (hopefully) allow others struggling with the same issues to save a bit of time. Hope it helps!
October 30, 2014 Update
There is an active Citrix support thread on the “no valid certificates found” issue. If this is bothering or interesting you, you may want to monitor this URL: http://discussions.citrix.com/topic/357156-no-certificate-found-at-windows-logon-screen-for-smartcard-authentication/
October 24, 2014 Update
Adobe Reader For Mac
The bulk of this post concerns the $29 Pkard product from Thursby which is the first I found with explicit OS X 10.10 support. I just had a chance to test the new Yosemite 10.10 compatible free SmartCard utility from Centrfy mentioned here: http://www.centrify.com/mac/smartcard/free-smart-card-for-federal-military-cac-piv.asp
. Long story short: It works to get past the VPN gateway but throws the same “no valid certificates found” error when trying to login to the Windows desktop via a Citrix Receiver client. Still no idea why this is happening – on other versions of OS X my smart card credentials transparently passed onto the OS. Still – consider the Centrify software if you don’t want to spend $29.
. Long story short: It works to get past the VPN gateway but throws the same “no valid certificates found” error when trying to login to the Windows desktop via a Citrix Receiver client. Still no idea why this is happening – on other versions of OS X my smart card credentials transparently passed onto the OS. Still – consider the Centrify software if you don’t want to spend $29.
Short Summary
I need to use a HHS PIV card to remotely access computer systems from a brand new Macbook air running OS X 10.10 Yosemite. As of the time I wrote this article, the state of freely available open source software for PIV smart card support on Yosemite is pretty lacking. This will change but if you are in a hurry (as I was) the best thing you can do in the short term is pay $29.95 for the Thursby PKard software from http://www.thursby.com/products/pkard-mac — it installed seamlessly and allowed me to login via VPN although for some reason my certificates were not passed on to the Windows remote desktop system, hopefully I don’t need the $179 “ADmitMac” product for that.
I expect the state of open source smart card and tokend implementations to get better and more easily usable on Yosemite so I may only be using the Thursday product for a short time. It did, however work fast and got me successfully logged onto the remote VPN server.
Current status: Thursby PKard software works well on Yosemite for VPN access but the Windows desktop I get sent to via a Citrix client reports “no valid certificates” and I’m forced to use my standard user login name and password to complete the final authentication. This was not something I needed to do on OS X 10.7 or 10.7 with the open source smart card software stack.
Background
I do some subcontracting work for a few US Government agencies, one of which requires me to be able to connect remotely to US.GOV networks and infrastructure. The way I connect is via a federal standard PIV Card which is a very cool physical badge that doubles as a holder of biometric and personal crypto certificate information. When I’m trying to physically enter a building the PIV card is my secure photo ID badge (with backup biometrics and fingerprints stored o it) — when I try to enter a US Government network “virtually” the same PIV card doubles as VPN access device because it contains a personal set of crypto keys that uniquely identify me. Two-factor authentication is achieved by having to punch in a PIN code when my certs are presented to the remote system. It’s a very slick and interesting system.
From what I can tell, PIV cards are very similar to the CAC cards carried by military members that are often required for secure web browsing and access to military resources In fact, when searching the internet for PIV assistance you will find that some of the best help resources are coming from the military CAC-user community. A perfect example of this is https://militarycac.com/macnotes.htm and https://militarycac.com/cacenablers.htm – the site that I turned to first when looking for OS X Yosemite PIV/smartcard status info.
My Gear
- SCM SCR3500 Smart Card Reader – Amazon Link: http://amzn.com/B00434WQVU
- Belkin flexible USB adapter – Amazon Link: http://amzn.com/B000BK107G
- Macbook Air running OS X 10.10 Yosemite
Getting the PIV card to work on 10.10 Yosemite
Verify your reader works
Attach your reader, use the OS X “About this Mac” -> “System Report” function to verify that your computer and OS actually see and recognize a smart card device:
Attach your reader, use the OS X “About this Mac” -> “System Report” function to verify that your computer and OS actually see and recognize a smart card device:
The card has been tested with dozens of different devices from tablets to cameras to phones and more, and it can accommodate 4K videos, too. The full capacity can accommodate up to 8 hours and 30 minutes of full HD video, 14,000 photos or 5,500 songs. Samsung’s four-point protection claims 72 hours in seawater, extreme temperatures, airport X-ray machines, as well as magnetic fields equivalent to an MRI scanner, so the card will go basically anywhere you need it to go without issue. Best buy sd card reader for mac.
Buy and install the PKard software
Launch OS X Keychain Assistant
What you want to see is the certificates and credentials that are stored on the smart card. If your USB reader and the PKard software are working, Yosemite 10.10 can now “see” the crypto info stored on the PIV card
Fix the Trust Chain (If your PIV certificate is not trusted)
This may not be an issue for an upgraded system but on my brand new laptop my host OS was missing the intermediate certificate trust chain. Keychain Assistant helpfully throws up the red text saying: “This certificate was signed by an unknown authority”
OS X Yosemite does not “trust” the Certificate Authorities that signed my PIV card certificates.
The solution is to go out and install the intermediate certificates necessary to build the full lenght trust chain.
The source of trust chain certificates almost certainly depends on what agency you work for or are trying to access. Haihaisoft pdf reader for mac reviewa. In my case I needed the US GOV Health and Human Services (HHS) intermediate certificates and the best online resource I found for HHS certificates needed for PIV cards is actually over on a NIH hosted site:
I downloaded and installed the “HHS Entrust FPKI Certificate Chain” from the above website:
Installing the certificates results in a chain of trust that culminates with your personal PIV certificates being recognizes as trusted:
Now Test
At this point you have a recognized USB card reader, your personal PIV certificates are visible to Mac OS X and the trust chain is complete. This should be all you need to access or login to PIV-enabled websites.
I removed screenshots showing the portal site I was logging into out of paranoia so I can’t show examples of successful logins. I’ll just show this OS X window which is the system prompt you get when your certificate is being used and the host OS wants to verify your PIN code as part of the two-factor authentication process.
Pkard Reader Case
If you see this, this is your PIN entry prompt and it means that stuff is generally working:
Remember that this is where your PIN goes, ignore the system text about “keychain password” …
Minor Issue
Using the steps outlined above I can successfully authenticate to the remote access environment I need to use on a daily basis. However, on my older laptop my PIV card credentials were transparently passed onto the Windows OS as well and I was not prompted for a second login.
That is not the case now. After getting past the VPN, the remote desktop session can’t see my PIV certificate and I have to fallback to using standard AD username and password. Not optimal but it works for my purposes.
Longer term I want this issue to go away. I’m not sure if it’s a Citrix Receiver issue or perhaps this is a designed-in behavior of the Thursday software designed to upsell software that offers more functionality. I was willing to pay $29.99 for the functionality I needed and the software and documentation is great but I’m not going to shell out $179 for SSO access to a Windows Desktop.
I’m going to keep researching this and will keep an eye on the state of open source / free smart card services for Yosemite 10.10. Will update this post as needed.
16
![Pkard Reader For Mac Pkard Reader For Mac](/uploads/1/2/6/5/126585120/717800607.png)
2011-04-19 15:47:43
16
Apple’s XServe comes with a Lights Out Management (LOM) capability. For anyone dealing with co-located
16
2019-04-23 11:15:15
10
2019-03-13 11:24:30
10