You can use the BlackBerry® Smart Card Reader or an Advanced Security SD card to require a user to use a smart card and the smart card password to prove the user’s identity before the BlackBerry device unlocks. If a user installs a smart card authenticator, smart card driver, and the driver for the smart card reader on the BlackBerry device, you or the user can configure two-factor authentication on the BlackBerry device to bind the BlackBerry device to the installed smart card. After the BlackBerry device binds to the smart card, the BlackBerry device requires the user to use the smart card to authenticate before the BlackBerry device unlocks.
To require that a user authenticate with the BlackBerry device using the smart card, you can configure the Force Smart Card Two-Factor Authentication IT policy rule in the BlackBerry Administration Service. If you do not require the user to authenticate with the BlackBerry device using a smart card, the user can turn on or turn off two-factor authentication in the BlackBerry device options, in the security options, in the User Authenticator field.
Verifying that a device is bound to a smart card
After a user turns on two-factor authentication, the BlackBerry® device prompts the user to insert the smart card into the BlackBerry® Smart Card Reader. The device displays the label and card type of the bound smart card.
If the device is running BlackBerry® Device Software version 3.6, the smart card information that the device displays when it prompts the user to insert the smart card into the BlackBerry Smart Card Reader is the only indication that a smart card is bound to the device.
If the device is running BlackBerry Device Software version 4.0 or later, the device displays the smart card information when it prompts the user to insert the smart card. The user can view the smart card information in the device options, in the security options. The Initialized field specifies whether the device authenticated with and is bound to the smart card.
Process flow: Turning on two-factor authentication using a smart card
- prompts the user to type the BlackBerry device password when the user tries to unlock the BlackBerry device
- requires the user to specify a BlackBerry device password, if the user has not yet specified one
- prompts the user to type the smart card password to turn on two-factor authentication using the smart card
- binds to the smart card by storing the following binding information in the NV store in the BlackBerry device memory that the user cannot access:
- name of a Java® class that the BlackBerry Smart Card Reader requires
- binding information format for the smart card type (for example, the type for CAC is GSA CAC)
- name of a Java class that the smart card code requires
- unique 64-bit identifier that the smart card provides
- smart card label that the smart card provides (for example, HISLOP.GREG.1234567890)
- pushes the current IT policy to the BlackBerry Smart Card Reader
Creating two-factor authentication methods
The BlackBerry® Java® Development Environment version 5.0 includes the User Authenticator API that a developer can use to create two-factor authentication methods. A user can use the two-factor authentication methods with the BlackBerry device password to unlock a BlackBerry device. After the developer creates an authentication method using the User Authenticator API, you can install the authentication method on the BlackBerry device using a software configuration.
To configure the BlackBerry device so that the user must provide the BlackBerry device password and authenticate using a two-factor authentication method before the BlackBerry device unlocks, you change the Allowed Authentication Mechanisms IT policy rule to Other and configure the Is Access to the User Authenticator API Allowed application control policy rule.
The User Authenticator API permits a developer to add a field to the password dialog box on the BlackBerry device for the authentication method. You can create as many two-factor authentication methods as the security policies of your organization require.
BlackBerry® Device Software versions 5.0 and later support the User Authenticator API.
For more information about the User Authenticator API, see the BlackBerry Java Development Environment Fundamentals Guide.