Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

MacOS Smart Card Services

Smart Card usage has been on the rise for a variety of different reasons, but undoubtedly the most prominent is for their identity management capabilities. Cybersecurity-oriented organizations are taking advantage of smart cards through the use of physical security tokens, the most popular example being Yubikeys. Security tokens, like Yubikeys, offer users the ability to log in to their network securely with MFA capabilities. Yubikeys are innately capable of three different factors of authentication:

  • Using private keys or one-time-passwords,
  • Requiring physical touch to send the authentication request,
  • Biometric scanning of fingerprints are three different factors of authentication

Organizations that want to take advantage of using smart cards need to be aware that it takes more than just the physical tokens to manage properly. For macOS environments, some smart card services come innately with the operating system, but with the last year seeing an increase of macOS malware by 165%, it’s important to find a smart card management system that works for you, considering that a lackluster management system can lead to an extremely volatile environment. Check out how SecureW2 software allows end-users to easily self-configure their smart cards on macOS or check out what one of our customers had to say.

In this article, we’ll take a look at the native smart card services in macOS and what management services might be lacking.

 

Using a Smart Card With a Mac

macOS 10.15 includes native support for personal identity verification (PIV) smart cards, USB CCID class-compliant readers, and hard tokens that support the PIV standard. The built-in support for smart cards in macOS is based on a modern framework called CryptoTokenKit (CTK) that enables smart cards support without any additional software.

When a user inserts a smart card into a macOS system, a prompt should appear that initiates “Local Account Pairing” for the card. After following the prompts, the user’s account will be linked to the smart card. Now the user can securely login using the smart card. If a user chooses not to pair their card, they can still use the card to access websites with smart card login functionality.

The steps below describe the local account pairing process:

  • Insert a PIV smart card or hard token that includes authentication and encryption identities
  • Select “Pair” at the notification dialog
  • Provide administrator account credentials (username/password)
  • Provide the 4–6 digit Personal Identification Number (PIN) for the inserted smart card
  • Log out and use the smart card and PIN to log back in

 

Native Smart Card Functions For macOS

macOS 10.15 includes built-in support for some helpful functions. These include:

  • Smart cards can be used for two-factor authentication to the following: LoginWindow, PKINIT, SSH, Screensaver, Safari, authorization dialogs, and third-party apps supporting CTK
  • Users can digitally sign and encrypt messages using the native Mail application
  • Smart cards can be used for encryption for Mail and Keychain Access

While it’s a huge step forward seeing macOS prioritizing smart card functionality, there is still so much left to be desired. This is especially true for organizations who want to fully take full advantage of smart card authentication for their entire workforce.

 

Smart Card Management With macOS + SecureW2

While they were designed to be used by enterprise organizations, smart cards simply don’t have the capability to be managed at a large scale by an OS alone. It’s important to find a smart card management system that works for you, considering that a lackluster management system can lead to extremely volatile vulnerabilities.

SecureW2’s Smart Card Management System (SCMS) was developed to simplify the process of smart card management by automatically equipping smart card devices with digital certificates. Combining powerful certificates with smart cards opens up a world of authentication security options and allows you to have complete visibility of your network’s activity.

Our JoinNow onboarding software allows users to enroll their smart cards in just a few clicks and then our management portal allows you to view and manage your distributed certificates allowing you to have complete control of your network’s security.

SecureW2’ SCMS can be integrated into your existing macOS infrastructure or be included as part of our larger Cloud PKI solution. We can help you maximize the capabilities of your smart cards with powerful certificates and a fully equipped management system. Don’t wait until it’s too late, get better security, and user experience at an affordable price for any enterprise.

 

Key Takeaways:
  • macOS offers basic smart card functions.
  • Smart cards simply don’t have the capability to be managed at a large scale by an OS alone.
Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

MacOS Smart Card Services