Fused User Protected Storage
In the case where the end entity certificates is stored in the Microsoft Internet Explorer certificate Store of the Desktop Profile for the user, there is an option in the Digi-CA Sever™ system to offer further security levels by enabling the User Protected setting. Depending on the CP, this can be offered to the end user as an option or it can be enforced. The security levels are:
The Low setting is the same as no User Protection and the check box remains unchecked. The Medium setting is where every time the certificate is required by any application a simple pop-up dialog appears so that the user is notified and must accept the request to use the certificate by clicking the OK button. And in the High setting, a pop-up dialog appears so that the user must enter a password before any request to use the certificate will be permitted.
If a High User Protection is enforced by the CP, or the user selects it, then the pop-up dialog will require them to enter a password to protect the end entity certificate.
This final setting where the user must enter a password is referred to a Two Factor Authentication, because the user must have an end entity certificates and know its password before they can use it. So something you have and something you know provides this Two Factor Authentication.
When choosing your Storage Type, careful consideration should be given to a number of factors. If the Private Key is not exportable and its life cycle is set to be valid for ten years, then will the device it is stored on still work 10 years from now? What happens if the device is lost, stolen or destroyed? Alternatively, if you decide that the Private Key can be exported, how do you prevent it being shared by several users? What is the disadvantage should sharing occur?
If you decide to enforce High User Protection, what happens if the user forgets their password and the certificate is rendered permanently unusable thereafter? On the other hand, if there’s no password, how easy would it be for someone else to use that certificate?
The Digi-CAST1™ Team of professional advisors are there to assist you in making the best choice for your environment and to help remove the element of risk from your purchase.