TokenVSC

[TokenVSC]
CheckExpire=60
Events=4
LocalProtect=0
:LoginTimeout=0
MigrateOld=0
PinExpire=0
PinFailMode=0x01000A05
:PinHistory=0
PinMaxLen=32
PinMinLen=6
:PinPolicy=
PinType=0
:RememberFailedAttempt=0
SingleSignOn=1
The parameters PinMaxLen, PinMinLen, and PinType are stored in the soft token when created.
The values can change during creation, so they should be considered as default values if nothing else is specified.
Default configuration for soft token is used for evaluation and to simulate a smart card. This configuration should not be used in a production environment using soft tokens. Update configuration according to your organizations requirements. Some parameters are set during creation, that is, from Net iD Portal.

CheckExpire

CheckExpire checks the validity period on the certificate. CheckExpire returns a value of the remaining time in seconds when less than or equal to the set value. If the remaining time is greater than the set value, it returns -1.

[SmartCard]
CheckExpire=<time>

Values

time

The time in days.

Events

The Events parameter tells when to validate the soft token for updates. The value is a bitmask so it can be checked at several places.

#define VALIDATE_TOKEN_OFF           0
#define VALIDATE_TOKEN_EVENT         1
#define VALIDATE_TOKEN_LIST_SLOT     2
#define VALIDATE_TOKEN_DETECT_RUN    4

[TokenVSC]
Events=4

LocalProtect

The LocalProtect parameter sets if CryptProtectData in Windows should be used to protect soft tokens. When this parameter is set, it associates the data encrypted with the current computer instead of with an individual user. Any user on the computer on which CryptProtectData is called can use CryptUnprotectData to decrypt the data.

Values

0

Off

1

On

LoginTimeout

LoginTimeout specifies the number of seconds the login procedure can be inactive. The counter resets when the PIN is used.

Resets the counter:

  • Login

  • Login (when already logged in)

  • Key usage (sign/verify/encrypt/decrypt/etc.)

  • Card update (create/delete/etc.)

Does not reset the counter:

  • Search for object

  • Reading object

  • Login status check

#define PIN1 0x01
#define PIN2 0x02
#define PIN3 0x04

[TokenVSC]
LoginTimeout=<seconds>,<pin-bit-mask>

Values

seconds

Number of seconds that the PIN is valid.

pin-bit-mask

Specifies for which PINs the LoginTimeout is used. If no value is given, all PINs use the LoginTimeout value.

MigrateOld

The MigrateOld parameter migrates VSC tokens from Net iD Enterprise to Net iD Client.

Values

0

No migration.

1

Migrates current user.

2

Migration made by Net iD System Service instead, will search for all users.

PinExpire

Soft tokens always supports time stamps for PIN change, so you can also include an automatic PIN expiration functionality. This means that the end-user will be forced to change PIN at regular intervals. The PinExpire parameter tells the number of days until a change is required.

[TokenVSC]
PinExpire=90

PinFailMode

Soft tokens do usually not support blocking of PIN, since it cannot handle the unlock functionality. Still, Net iD Client support blocking for a specified time (in minutes), and you may also specify a time delay between PIN attempts (milliseconds). This functionality requires that PIN unlock is activated for PIN type (bitmask 0x40):

#define VSC_PIN_FAIL_MODE_ATTEMPTS(a) (a & 0xFF)
#define VSC_PIN_FAIL_MODE_BLOCK_TIME(a) ((a >> 8) & 0xFF)
#define VSC_PIN_FAIL_MODE_DELAY(a) ((a >> 24) & 0xFF)
#define VSC_PIN_FAIL_MODE_DEFAULT 0x01000A05

[TokenVSC]
PinFailMode=0x01000A05
PinType=0x40

The blocking functionality is not a security feature since it is possible to bypass the blocking feature. This is an alternative to allow the end-user to get the same type of experience as when using a smart card.

PinHistory

This parameter gives the number of old PINs that are kept in a history list, to stop end users from reusing the same PIN.

PinMaxLen

PIN policy should be stored in the smart card profile. But the configuration can add more requirements. The PinMaxLen parameter tells the maximum number of characters in the PIN.

[TokenVSC]
PinMaxLen=6

PinMinLen

PIN policy should be stored in the smart card profile But the configuration can add more requirements. The PinMinLen parameter tells the minimum number of characters in the PIN.

[TokenVSC]
PinMinLen=6

PinPolicy

PinPolicy specifies the default PIN policy to use when creating a new VSC token. Normally, PinPolicy is specified during creation.

Values

0xaAbBcCdD

aA

min/max for number of digits

bB

min/max for number of lower characters

cC

min/max for number of upper characters

dD

min/max for number of special characters

Default value is 0; no password policy.

PinType

This parameter will tell if a specific PIN policy is required.

// Password type:
// 0 -> all chars (case sensitive)
// 1 -> all chars (case insensitive)
// 2 -> all chars (max 2 in row or normal/keyboard sequence)
// 3 -> all chars (max 2 in row or normal sequence)
// 4 -> all chars (max 2 in row)
// 5 -> only digits
//
// Normal sequence:
// a-z, z-a, 0-9, 9-0
// Keyboard sequence:
// qwertyuiop, poiuytrewq
// asdfghjkl, lkjhgfdsa,
// zxcvbnm, mnbvcxz,
// qaz, zaq, wsx, xsw, ...

#define VSC_PIN_TYPE_LOGOUT_AFTER_SIGN   0x80
#define VSC_PIN_TYPE_MAY_BLOCK_PIN       0x40
#define VSC_PIN_TYPE_VALUE(a)            (a & 0x0F)

[TokenVSC]
PinType=5

RememberFailedAttempt

A calling application can send the PIN by using CryptSetProvParam. Normally each attempt will result in a call to the smart card. This parameter can be used to avoid the locking of the PIN. The last failed attempt with a specific PIN value and container will be remembered, and the call will return failed without an attempt to the smart card.

[TokenVSC]
RememberFailedAttempt=0

Values

0

off

1

on

SingleSignOn

Single sign-on can be available even for soft tokens. The SingleSignOn parameter tells if single sign-on is available or not.

[TokenVSC]
SingleSignOn=1