Tokens and smartcards

SafeGuard Enterprise provides enhanced security by supporting tokens and smartcards for authentication. Token/smartcards can store certificates, digital signatures and biometric details.
Note

Tokens and smartcards cannot be configured for macOS endpoints.

Token authentication is based on the principle of a two-stage authentication: A user has a token (ownership), but can only use the token, if they know the specific token password (knowledge). When a token or smartcard is used, users only need the token and a PIN for authentication.

From SafeGuard Enterprise's perspective, smartcards and tokens are treated in the same way. So the terms “token” and “smartcard” refer to the same thing in the product and in the help. The use of tokens and smartcards needs to be enabled in the license, see Token licenses.

Windows 8 and later offers a feature called virtual smartcard. A virtual smartcard simulates the functionality of a physical smartcard using the TPM chip as basis, but cannot be used with SafeGuard Enterprise.

Tokens are supported in SafeGuard Enterprise:

  • in the SafeGuard Power-on Authentication (not applicable for Windows 8 and Windows 8.1)

  • at operating system level

  • to log on to the SafeGuard Management Center

When a token is issued to a user in SafeGuard Enterprise, data such as the manufacturer, type, serial number, logon data and certificates are stored in the SafeGuard Enterprise Database. Tokens are identified by the serial number and then recognized in SafeGuard Enterprise.

There are significant benefits:

  • You know which tokens are in circulation and which users they are assigned to.

  • You know when they were issued.

  • If a token is lost, the security officer can identify it and block it. This prevents the misuse of data.

  • The security officer can nevertheless use Challenge/Response to temporarily allow logon without a token, for example, if a user has forgotten the PIN.
    Note With SafeGuard volume-based encryption this recovery option is not supported with cryptographic token logon (Kerberos).