User guide
The User Authenticator API permits a developer to add a field to the password dialog box on the BlackBerry device for the
authentication method. You can create as many two-factor authentication methods as the security policies of your
organization require.
BlackBerry Device Software versions 5.0 and later support the User Authenticator API.
For more information about the User Authenticator API, see the BlackBerry Java Development Environment Fundamentals
Guide
.
Two-factor content protection
Two-factor content protection on the BlackBerry device is designed to protect the content protection decryption keys with
both a private key that is stored on a smart card and the device password.
To store the private key, you can use either a smart card with the BlackBerry Smart Card Reader or an Advanced Security
SD card. The content protection key is not transferred from the device to the
BlackBerry Smart Card Reader or Advanced
Security SD card.
Two-factor content protection requires the device password, a smart card, and an authentication certificate that is stored
on the device. The authentication certificate must contain the public key for the private key that is stored on the smart
card. If the authentication certificate expires or is revoked, a user can continue to use it for two-factor content protection
until the user creates and configures a new certificate to use with two-factor content protection.
You or a user can configure two-factor content protection. By default, if a user has a smart card and an authentication
certificate on the device, the user can turn on two-factor content protection. To make two-factor content protection
required or optional, or to prevent a user from configuring it, you can use the Two Factor Content Protection Usage IT policy
rule. To unlock the device after you or a user turns on two-factor content protection, the user must type the device
password and smart card PIN on the login screen in the appropriate fields.
If you or a user turns on two-factor content protection, you cannot change the device password using the BlackBerry
Administration Service
. Only the user can change the device password on the device.
BlackBerry Device Software 5.0 and later and BlackBerry Smart Card Reader 2.0 and later support two-factor content
protection. You must verify that the IT policies that you can use to manage two-factor content protection are available on
your organization’s
BlackBerry Enterprise Server. BlackBerry Enterprise Server 5.0 SP1 and later include the IT policies
that you require to manage two-factor content protection.
Data flow: Turning on two-factor content protection
1. When you or a BlackBerry device user turns on two-factor content protection on the BlackBerry device for the first time,
the device performs the following actions:
a generates a random 256-bit symmetric key for the smart card authenticator
b derives an ephemeral AES-256 key from the symmetric key for the smart card authenticator and the device
password, using PKCS #5
c uses the ephemeral key to encrypt the content protection key and ECC private keys
Security Technical Overview Configuring two-factor authentication and protecting Bluetooth connections
134