NextVSC overview and features

Introduction

With Smart ID Desktop App, Nexus has since many years supported Virtual Smart Card (VSC) on Windows 10 and 11 based on the Microsoft VSC solution.

The Microsoft solution comes with a few drawbacks such as:

• Not being recommended or further developed by Microsoft

• Not supporting ECC or RSA keys larger than 2048 bytes

• Not supporting RSA PSS, that is, no support for TLS 1.3

With the NextVSC add-on, Nexus introduces a new concept for providing Nexus native Virtual Smart Cards (VSC) for the Windows 10/11 platforms, which provides an extendable architecture capable of unifying different technologies and bearers of VSCs under the same implementation. These are presented to the Windows platform as if they were a physical smart card.

The NextVSC add-on is fully integrated from Smart ID Desktop App in a seamless way. This means that the application behaves indifferent between Microsoft VSC and NextVSC and provides the same User Interface (UI), the same features etc.

NextVSC implements a minidriver and a virtual smart card reader to fit Microsoft smart card subsystems to make the VSC appear and act as a standard physical smart card to support all related use-cases, like Windows login, TLS, PDF signing, S/MIME email security etc.

NextVSC brings both native TPM-support for RSA 2048 and ECC 256 keys as well as support support for RSA 3072 and RSA 4096 keys through a TPM-backed key wrapping solution.

NextVSC runs as a Windows Service and is installed separately and independently from the Smart ID Desktop App.

NextVSC Mobile

NextVSC Mobile extends the TPM‑based Virtual Smart Card (VSC) concept on the desktop to also include Mobile VSCs securely hosted in the Smart ID Mobile App on iOS and Android. This enables a unified Virtual Smart Card experience across desktop and mobile platforms under the same NextVSC architecture.

Using a secure QR‑code‑based pairing process, an end user can connect their PKI‑based Mobile VSC to a Windows 10 or 11 computer. Once paired, the Smart ID Mobile App acts as a physical smart card, allowing the user to perform cryptographic operations directly from their mobile device.

User authentication is handled directly on the mobile device using strong, built‑in mechanisms such as a mobile PIN, Face ID, or fingerprint authentication, removing the need to enter a PIN on the computer as would be required with a traditional physical smart card.

NextVSC Mobile supports common Windows and PKI use cases based on certificate capabilities and key usage, including Windows logon, PDF signing, S/MIME email security, TLS authentication, and more.

NextVSC Credential Provider

NextVSC includes a custom Windows Credential Provider for Windows 10 and 11, integrating directly with the native Windows sign‑in experience. This enables a tailored and consistent login flow, with clearly branded authentication options and dedicated icons for both Mobile and TPM‑based Virtual Smart Card (VSC) login.

The Credential Provider is conditionally invoked and only becomes available when a Mobile or TPM‑based VSC contains a certificate that supports Windows logon, as indicated by the appropriate Windows login key usage and extensions. This ensures that the NextVSC Credential Provider is presented only when relevant, preserving the default Windows behavior for other authentication scenarios.

NextVSC features

The features of NextVSC are as follows:

• Native TPM support for:

  • RSA 2K

  • ECC256 based on NIST P-256, also known as secp256r1 or prime256v1

• TPM-backed support for RSA 3K and RSA 4K certificates

• Nexus native TPM wrapping solution of private keys, based on AES encryption.

• Add-on to Smart ID Desktop App for seamless integration with Smart ID life-cycle management with Smart ID Identity Manager (IDM) and authentication with Smart ID Digital Access (DA).

• Client-side key generation with certificates generated by Certificate Manager via CSR/PKCS#10.

• Server-side generated/archived certificates and keys (P12).

• Windows use-cases according to certificate capabilities and key usages.

• Windows login, S/MIME, TLS, PDF signing etc. via NextVSC minidriver API.

• User Interface provided by Smart ID Desktop App:

  • PIN change, VSC deletion, VSC details, certificate details.

  • Language support, English, German, French and Swedish.

• PIN blocking and remote PIN unblock.

• TPM anti-hammering and blocking.

• Co-existence with Microsoft VSC under Smart ID Desktop App.

Additional NextVSC features from version 1.5.1

• Custom Windows Credential Provider for Windows 10 and 11, enabling a tailored Windows sign‑in experience for NextVSC authentication methods, with branded icons for Mobile and TPM‑based Virtual Smart Card (VSC) login.

• Conditional invocation of the NextVSC Credential Provider based on certificate capabilities, where the provider is only available when a Mobile or TPM‑based VSC contains a certificate enabled for Windows logon.

• NextVSC Mobile support, enabling PKI‑based Mobile Virtual Smart Cards hosted in the Smart ID Mobile App (iOS and Android) to be used as smart cards on Windows 10 and 11.

• Secure QR‑code‑based pairing between a Mobile VSC and a Windows device, allowing the Smart ID Mobile App to act as a virtual physical smart card for cryptographic operations.

• Strong user authentication for Mobile VSC operations performed on the mobile device using mobile PIN and built‑in biometric authentication (Face ID or fingerprint), eliminating the need for smart card PIN entry on the Windows computer.

• Support for standard Windows and PKI use cases for Mobile VSCs, including Windows logon, TLS authentication, S/MIME email security, PDF signing, and related scenarios.