IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2.1

Hybrid smart card authentication

IBM® Security Access Manager for Enterprise Single Sign-On supports the use of hybrid smart cards for user authentication in both personal and shared workstations.

How it works

Hybrid smart cards are made of embedded PKI microprocessor with contact interface and RFID chip with contactless interface. Users can log on and unlock the Windows desktop with a smart card without re-entering the smart card PIN within a configurable grace period. The grace period is measured from the last two-factor authentication time.

Outside the grace period, the user logs on with smart card and PIN through contact interface. Within the grace period, user can log on with smart card only through contactless interface across workstations. The logged on user can also unlock the Windows desktop with smart card only through contactless interface.
Note: The smart card PIN is not related to the ISAM ESSO password.

To use hybrid smart card authentication, the users must register the hybrid smart cards as secondary authentication factors.

Hybrid smart card tap same and tap different

Tap same

When the user taps the same hybrid smart card tapped during an AccessAgent session, the Windows desktop is locked. This behavior is configured through the smart card tap same machine policy.

Tap different

When a different hybrid smart card is tapped during an AccessAgent session, the previous user is logged off and the new user is logged on. This behavior is configured through the smart card tap different machine policy.

Parent topic: Planning for authentication factors

Feedback