HID Crescendo's Diverse Functionality & Compatibility
When we talk to customers about HID® Crescendo® authenticators, they are often aware of only a small part of this device family's capabilities. Across diverse enterprises, Crescendo is the preferred means of trusted identity due to the broad range of standards supported. We'll answer the most common questions and cover it all — the specifications, certifications and compatibility — in this definitive blog post.
What are the specifications and certifications that the Crescendo supports?
Some organizations have regulatory requirements to use products that are compliant with certain certifications or compatible with published specifications. HID Global recognizes the importance of these programs. With a proactive approach to supporting standards, we actively contribute to the industry associations promoting them.
FIDO U2F and 2.0
We're a sponsor member of the FIDO Alliance, whose mission is to promote standards that remove the reliance on passwords for the web. The Crescendo C2300 smart card and the companion Crescendo Key are FIDO2-certified authenticators that offer secure access to online and cloud services.
GlobalPlatform Card Specification 2.2, Secure Channel Protocol 03, ID Configuration 1.0
HID is a member of GlobalPlatform, an association with a legacy of successful technical specification development and industry adoption for secure device management, with strong support in the financial industry and the digital identity landscape. Crescendo implements the GlobalPlatform Card Specification 2.2 with support for Secure Channel Protocol 03, that uses NIST approved cryptographic algorithms for secure personalization of credentials. Furthermore, Crescendo authenticators use a platform that has been certified by GlobalPlatform with the ID Configuration v1.0 profile.
NIST FIPS 140-2
Government agencies in the United States and Canada are required to use cryptographic implementations approved by the NIST Cryptographic Module Certification Program, also known as FIPS 140-2. HID Global has a long-standing tradition of offering FIPS 140-2 certified credentials, and the Crescendo C2300 and Crescendo Key are no exception. Documentation and independent certification lab verification of our firmware is completed and submitted to NIST for certifications at both Level 2 and Level 3 of FIPS 140-2. The Modules In Process List contains our submissions.
OATH
Crescendo supports two-factor authentication (2FA) deployments that use the industry-standard OATH algorithm for one-time password (OTP) generation — most commonly, VPN gateways and in-house developed web applications. In addition, a simplified user experience means there's no need to copy a code from the authenticator into the login form. The simple touch of the Crescendo Key button transfers the OTP value as keystrokes to the device where it's plugged in.
How does Crescendo work with existing infrastructure?
Despite the importance of certifications, we are also committed to working with industry players to ensure customers can use our trusted identity credentials with their existing infrastructure ¬— helping them realize the goal of delivering a converged identity for physical and logical access.
Microsoft Windows
Windows fully supports Crescendo for use in passwordless authentication flows. In Azure Active Directory, simply enable FIDO2 Security Keys in your tenant and have users self-register their credentials in their Microsoft account webpage. For those who haven't migrated to Azure Active Directory, Crescendo is supported out of the box as a smart card logon credential using PKI certificates; issuance is simple with a free Windows mini driver. Once configured, the authenticator appears as a PIV identity device — and there's no installation required. Applications can then use the certificates for authentication, signature and encryption. And of course, Crescendo cards and USB keys can be used as FIDO authenticators on any modern browser running in Windows.
Apple macOS
In macOS, Crescendo Key can be used as a FIDO authenticator in Safari or Chrome. A Crescendo card or key with certificates is recognized automatically as a PIV device that can be used to protect logon to macOS. The macOS keychain services automatically register the certificates for digital signature use.
NFC
Crescendo smart cards and keys are compatible with the standard NFC readers integrated into some Windows laptops and tablets, especially those designed for enterprise use. These authenticators also work with the NFC capability in most Android and iOS phones supporting:
- FIDO Web Authentication (WebAuthn)
- Custom applications that leverage PIV or OATH capabilities
Is Crescendo compatible with HID physical access control systems?
No conversation about Crescendo would be complete without mentioning support of the ubiquitous HID physical access control infrastructure deployed worldwide.
- Crescendo Key includes Seos® technology compatible with the state-of-the-art iCLASS SE® and Signo™ readers
- Crescendo smart cards support Seos and are also available with MIFARE™, HID iCLASS®, HID Prox, and Indala Prox options
This full support ensures a drop-in replacement for any access control card. Customers can take full advantage of Crescendo's high security and versatility.
For details about how to configure Crescendo for different use cases, review the Crescendo documentation site.
Want to know more about what to look for in an enterprise-ready FIDO credential? Download our buyer's guide.
Adrian Castillo is passionate about secure identity credentials that enable trusted transactions in physical and virtual environments. Since joining HID in 2008, he has developed credential solutions for end-users, client applications and back-end services. Most of all, he likes to understand the complete chain of components that are involved in the chain of trust.