FAQ

Physical Access

Do you support Indala cards?

Yes, through the use of an additional low frequency (prox) inlay in the card and chip programming. We can duplicate the cards in use.

Do you support iClass?

iClass is a proprietary card technology from HID and can not be duplicated within our cards. We suggest upgrading your readers to support ISO14443 and ISO15693 (iClass).

How do you handle custom card formats (by HID, GE, or installer channel)

HID, Indala and Casi Rusco (now GE) developed unique data formats for OEM and integrators to protect their markets from competition. Most formats can be programmed with a release from its owner. If the owner refuses, the only option is to replace the readers with Dual Frequency readers to migrate away from the proprietary format. 

Can you work with DESFire?

Yes, it can either be done through emulation on the module or as a DESFire card with module.

Can you work with proximity cards?

Yes, there is an additional inlay in the card to support proximity cards.

Can you work with Magstripe?

Yes, cards can be ordered with or without a HiCo three track magnetic stripe, which is the same type of magstripe found on credit cards.

Are your cards interoperable with multiple protocols at the same time?

Typically yes, but while a card can be built to support multiple frequencies and support multiple protocols, it is best to verify the requirements to make sure it's technologically possible.

How do you integrate with PACS?

There are two separate stages to integration. Cards can be built to support many of the popular PACS technologies simply by having the card emulate the existing building card format. The first stage, therefore, is to integrate the card so that it is usable and recognized by the existing PACS. The key to doing this well is to understand the technology already in use and the desired future migration plans. The second stage is integrating the users' identity data from the existing PACS with other systems, such as personnel records, in order to decrease administration time and reduce errors. These systems have traditionally been kept separate by building security professionals as a legacy practice, however through the idOnDemand service it is now possible to securely integrate them. There are various deployment options and we will work with you to find the one most appropriate for your organization.

How do I correlate the serial numbers of the cards with the users that already exist in my PACS?

Both the module serial number and PACS number can be marked on the outside of the card for easy cross correlation.  The list of new users with their corresponding card serial numbers may also be downloaded via an API or user interface or delivered by email.

Can I print a card onsite so that I don't have to wait for idOnDemand to print and deliver it?

Yes.

What are the parameters that can be set by administrators regarding a PIN policy and are there any limitations?

Your organization will be able to define its own PIN parameters, however in all cases a minimum of 6 characters are required.

Printing

Can you leverage previous branding and photographs?

Data can be lifted from your current corporate directory such as photos or other information about the individual.

We already have a layout editor. Can we leverage our own editor or do we have to use yours?

With local issuance, you can choose how you print your cards. We provide a full web badge design and enrollment solution or you can use your existing solution. During enrollment, idOnDemand will retrieve the required information from your local system or corporate directory.

Our user data is already in our PACS. Can we leverage this data without having to re-enter it?

Currently idOnDemand can use PACS information stored in your corporate LDAP. In the future we will add an ODBC interface which will allow direct integration with most PACS and HR systems, and other database-based applications.

What type of material is the SmartID made of?

Most module based smart cards are composite, combining PVC with polyester which provides longer life than PVC alone.

What is your warranty policy for SmartIDs?

idOnDemand extends a five year warranty on all cards for manufacture defects when used under normal office conditions.  idOnDemand will produce the same card with the same data if you experience defects.

Enrollment, Distribution & Delivery

What is the process for enrolling users for idOnDemand SmartID? Does my current process (existing PACS and badging software) change?

Normally, yes. idOnDemand includes a sophisticated web enrollment system that can be used on any number of computers allowing for single or bulk enrollment.  idOnDemand can also lift corporate information which is stored in your corporate directory to save re-entry of data.  An ODBC interface will be available in v2.

Do we have to use the fingerprint template that is included in your solution?

Fingerprint templates are part of the Federal government PIV standards. They are optional in our service and may be used only for people that require the use of fingerprint matching.

How do you verify delivery and identity of person when delivering to a remote location?

idOnDemand can deliver cards directly to the end user in a sealed RF protective envelope. The cards are locked and enabled by the user using a link sent to them via email. Alternatively, the cards can be delivered to an onsite enrollment officer and manually distributed. idOnDemand supports both standard postal mail delivery and signed courier delivery services.

What are your delivery options for completed idOnDemand SmartIDs?

 idOnDemand can mail cards directly to the end user or enrollment officer, as well as local issuance (onsite printing).

What type of packaging are large batches of idOnDemand SmartIDs delivered in?

idOnDemand SmartID cards are delivered in sealed envelopes with the recipient’s name visible through a clear window envelope.

Can I define the serial number ranges?

Yes.  FACN, Prox and Indala ranges can be defined and the allocation method can be determined.

Is there an additional charge to deliver cards to remote users or locations?

First class postal service is included in the idOnDemand subscription cost. Courier services are extra and vary depending on where the card(s) are being delivered.

How can we centrally administer the issuance of cards (also help desk, termination, etc)?

idOnDemand supports management of both local and onsite issued cards.

Lost Card & Emergency Access & PINs

How does emergency access work?

idOnDemand Emergency Access is the first highly secure method of providing access to IT and other resources when users lose or forget their ID card. It works by requiring the user to identify themselves with backup authentication methods such as text message to a mobile phone, fingerprint, knowledgebase (not recommended), co-worker validation, etc. Once validated, the user's idOnDemand SmartID is simulated by a hardware security module in the idOnDemand datacenter which allows the computer to function as though the user's idOnDemand SmartID had been inserted.

How do we suspend a card when the user has forgotten their primary card at home? Can we issue them a temporary card?

When a person has LOST their card, the person's card is suspended in the idOnDemand user interface or via a connector to the corporate infrastructure and then a new card is issued locally or centrally.  If the card is temporarily forgotten, then the user may use the emergency access.

If a user forgets their PIN, does helpdesk need to be involved or can this be automated?

idOnDemand's self help portal can be used to reset the user's PIN, however this requires that certain identity related information had been entered during the enrollment process.  The helpdesk can also reset the person's PIN when insufficient information about the person is available. In situations where there is insufficient information, the helpdesk will be able to reset the user's PIN.

Termination

What is the process to terminate a user from your service?

You can delete the user in the user interface or through the API connector.

Can the certificates used in your service be terminated?

When a user is suspended, the OCSP service and CRL are updated and the user's certificate is marked as revoked.

Does termination have to happen in your system as another point of administration or can it be integrated with our PACS and Directory (or IDM)?

We provide an API which allows idOnDemand to be customized for your environment. Contact us with your specific requirements and we will work to find the best integration with your existing systems.

What is the process to revoke an idOnDemand SmartID for a remote employee?

You will need to suspend the user within idOnDemand . The certificates will then be flagged in the CRL and OCSP service as invalid.

Services

What type of technical support do you offer?

See www.idondemand.com/support

What is the scope of your technical support? What issues will you help resolve and what are out of scope?

See www.idondemand.com/support.  Electronic support is provided for most customers. Additional services are available which includes telephone and tracked support, online portal access, etc. See our support package offerings.

Do you provide support for the certificates you issue?

Yes.

What is the scope of your services such as determining requirements, defining technical implementation and assistance with deployment?

A one hour overview session with our support team is included for new customers.  Professional services are available at an additional fee.  Visit the online store for more information.

VPN

What VPNs does your solution support when using certificates on a SmartID?

Cisco ASA, Juniper, Nokia, Microsoft and other VPN products that support x.509 certificates.

How do I enable my VPN to use the certificates provided with your solution?

In simple terms, the administrator will create a certificate for the VPN which establishes the trust between the CA and the VPN, enabling the VPN to validate user certificates.  With most VPNs, no external AAA is required as PKI support is built into the VPN router.

OTP Compatibility & Migration Topics

What OTP solutions can you work with?

ActivIdentity & OATH (in a later version)

Windows Login

Do I need to install a client such as ActivClient?

idOnDemand will work with most PIV middleware, although ActivClient is included in the annual subscription price.

Can I use another client (from HID, AET, or another provider)?

Yes.  Windows 7 is also supported.  ActivClient was selected as our default middleware because of its post issuance and auto-configuration capabilities.

Mac and other platforms

Does SmartID work with Mac?

Yes.

Do you work with Linux and if so what flavors?

Yes. Most distributions.

Do you work with Unix?

We have not tested idOnDemand SmartID in a Unix environment.

Are there any limitations in the features for the above platforms compared to what is for Windows?

PAM functionality is provided. Application restrictions vary depending upon the application's support for x.509 certificates.

Email Signing & Encryption

What is the fastest way to set up email signing for a large number of users?

Through the policy of the email server (such as Microsoft Exchange policy or Lotus Notes).

Encryption

What is the fastest way to set up encrypted file systems for a large number of users?

Active Directory group policy.

General PKI Integration & Enablement

We have an internal CA we are not willing to abandon. Can your solution work with it and if so, how?

v2 will include support for a local CA appliance which supports PKCS #12 requests.

For an enterprise using our solution with Chosen certificates, can Chosen be configured to publish the certificates in the corporate directory?

Auto enrollment server is available for an additional charge.  Note that only a single certificate is required for AD login. If you wish to use AD for distribution of new certificates, the auto enrollment server will collect and deliver certificates to users once they are logged onto the corporate domain.

SSO, Username & Password Capabilities

I have an existing eSSO implementation, can you work with it?

Yes.  Native support for the SecureLogin range of products is provided. Imprivata and Passlogix are also supported.

Can you work with our existing Web SSO implementation?

idOnDemand supports Apache and other web servers that support x.509 certificate authentication.

Can we store usernames and passwords on an idOnDemand SmartID?

Usernames and passwords are stored on the local machine rather than the idOnDemand SmartID. When used with SecureLogin and other eSSO products, usernames and passwords are encrypted by the card certificate.

Identity Integration & Convergence

Can we have a single issuance model that is integrated from our PACS, through HR and IT Identity?

idOnDemand connects to the corporate directory and provided information is available there. An API is available that enables custom connectors to be developed. In v2, an IDMS appliance will available.

Does your solution allow us to enroll and terminate users through one administrative interface?

The idOnDemand interface can provide data to the corporate directory. By using OCSP or CRL's external applications, you can control security access based on certificates. v2 will include an IDMS connector that will extend an existing IDMS infrastructure.

Security

How is the personal data we send to your service secured? (i.e., enrollment, updates, PIN resets)

idOnDemand uses a full PKI infrastructure for data movement and storage. Each card has a separate key and is produced in our audited system.

How are your facilities secured?

SAS-70 for building security. Secure bunker, guarded, gated, with limited access and almost impossible to penetrate by brute force.

How do you ensure that our data or access credentials are not replicated or mishandled?

idOnDemand has a deliberate and concise security policy that combines audit, certification, operational procedures and protections in place to both physically and technically prevent unauthorized access to data and any creation of credentials outside of this process. We can review some of these areas under non-disclosure with organizations considerationg idOnDemand.

Is there a tamper-resistant audit trail of card request, delivery, and administrator actitivies?

Yes, a PKI based HSM signed audit trail.

Are all attempts and failures to use the SmartID logged and reported?

Yes.

Do you have a detailed security architecture?

Yes, available under a non-disclosure agreement.

Does idOnDemand allow site visits and audits?

idOnDemand offers prospective and current customers guided tours geared toward answering questions regarding security of our systems and processes. We can arrange a time that is convenient with your facilities manager, IT person or designated auditor.