Secure Proximity Cards

This topic describes how to configure Imprivata Enterprise Access Management to support secure authentication using proximity cards with MIFARE DESFire EV3, EV1 and EV2 protocols.

IMPORTANT:

When using MFR-75A readers with EV1 or EV2 cards, open the gear icon > Settings page > Proximity cards section and select Support DESFire EV1 and EV2 cards on MFR75A readers.

This feature extends proximity card authentication by leveraging secure and encrypted card communication. It allows customers to meet stricter authentication security regulations and strengthens the Enterprise Access Management security posture.

NOTE:

For more information about support, see Supported Components.

Configure Secure Proximity Card Authentication

To configure secure proximity card authentication, follow these three steps:

  1. In the Imprivata Admin Console, go to Users > User policies.

  2. Select the user policy you want to configure to support secure proximity card authentication.

  3. Enable Proximity Card.

Add a DESFire master key only if your organization issues cards with non-default master keys. If the cards use the default master key (all zeros), you can skip this step.

  1. In the Imprivata Admin Console, go to the gear icon > Settings page > Proximity cards section.

  2. Enter the master key(s) in the required format:

    • One key per line.

    • Each key must be 16, 32, or 48 hexadecimal digits.

  3. Click Save.

IMPORTANT:

If the key is incorrectly formatted, an error will be displayed, and the key will not be saved.

  1. In the Imprivata Admin Console, go to Computers > Computer policies.

  2. Select the computer policy.

  3. In the Card Readers section, enable Require use of secure proximity cards.

  4. Click Save.

This ensures that endpoints enforce strong authentication and accept only secure proximity cards that use secure encrypted communication.

Enrolling Secure Proximity Card

Users must enroll their secure proximity card before using it for authentication. Enrollment is supported both before desktop login and after desktop login.

IMPORTANT:

If the Require eIDAS Substantial policy option is enabled, supervised enrollment is mandatory for the secure proximity cards.

Users can enroll their secure proximity card in two ways. If the card isn’t enrolled, they can simply tap and hold it on the reader. The system detects the unregistered card and prompts them to complete the enrollment automatically.

Alternatively, users can enroll the card manually:

  1. At the pre-login enrollment window, enter their username and password.

  2. Select Enroll a new badge.

  3. Tap and hold their secure proximity card on the reader.

  4. After authenticating to the enrollment utility, tap and hold the card on the reader again.

  5. Enrollment completes automatically.

  1. Launch the Enrollment Utility.

  2. Select Enroll a new badge.

  3. Tap and hold their secure proximity card on the reader.

  4. Enrollment completes automatically.

Authentication workflow

Once enrolled, users can authenticate by simply tapping and holding their secure proximity card on a supported reader.

Combined FIDO2/DESFire Badges

Badges that combine both FIDO2 and DESFire technologies cannot operate simultaneously in the system. The system prioritizes FIDO2 by default.

  • Combined badges operate as FIDO2 without additional configuration.

  • To use the badge as a DESFire proximity card, disable FIDO2 completely on the endpoint:

    1. Rename the FactoryLoadID registry key in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\DeviceManager\Devices\Fido2\Providers\ScardAPI.

    2. Restart the endpoint.

IMPORTANT:

Disabling FIDO2 through this process affects the entire endpoint and all readers. To restore FIDO2 functionality, revert the FactoryLoadID registry key to its original name and restart the endpoint.