Use of biometrics to un-lock smart card about opensc HOT 5 OPEN

That is already available with Match-On-Card support in the SmartCard-HSM. See the KeyXentic KX 906 token that has an embedded secure element with the SmartCard-HSM applet and 1-to-1 fingerprint matching.

@frankmorgner can probably also talk about the GoID card, that has an embedded fingerprint sensor.

Technology is available, but market demand is low.

from opensc.

That is already available with Match-On-Card support in the SmartCard-HSM. See the KeyXentic KX 906 token that has an embedded secure element with the SmartCard-HSM applet and 1-to-1 fingerprint matching.

@frankmorgner can probably also talk about the GoID card, that has an embedded fingerprint sensor.

Technology is available, but market demand is low.

I'm aware that there are card specific technologies available. But I'm more thinking about a vendor agnostic approach that utilizes things like Windows Hello for Business and Conditional Based Access to un-lock the smart card with biometrics.

from opensc.

So you want the user to authenticate towards a trusted server, that in turn authenticates against the card ?

Then you need some challenge response protocol between the card and the server, so that no sensitive information gets lost while the server authenticates against the card.

We use TA from BSI TR-03110 for that, which has an EC key on the server that signs a challenge generated by the card. In a large application we use that in addition to the user PIN to ensure, that the card is only used in the designated security environment. But server authentication could also be the sole or alternate authentication method.

from opensc.

So you want the user to authenticate towards a trusted server, that in turn authenticates against the card ?

Correct. The server needs to support OAuth2 because I want to utilize Entra ID Conditional Based Access.

Then you need some challenge response protocol between the card and the server, so that no sensitive information gets lost while the server authenticates against the card.

That would indeed the best approach, but as stated above, I could live with saving the PIN in a TPM chip, if the chip is inside a trusted computer.

We use TA from BSI TR-03110 for that, which has an EC key on the server that signs a challenge generated by the card. In a large application we use that in addition to the user PIN to ensure, that the card is only used in the designated security environment. But server authentication could also be the sole or alternate authentication method.

This is probably not card agnostic, is it? I would need a solution working with CardOS cards but which ideally would work with any card.

from opensc.

If you don't want to use some integrated solution (e.g. GoID card as described above), you are left with stacking and combining different technologies.

What is wrong with the process you have depicted (other than you should do it all-local rather than involving some shady web component)? The same process is used locally for some demo Windows Credential Providers, which are storing and recovering the user's (encrypted) password for login instead of a smart card PIN.

from opensc.