Nitrokey 3 Firmware 1.8 With PIV Windows Login, NIST P-521, Brainpool

We recently released the new firmware 1.8.0 for Nitrokey 3 devices. This introduces the PIV (Personal Identity Verification) functionality for the first time to enable organizations to use convenient and secure two-factor authentication on Windows PCs.

PIV is an established smart card standard which is primarily used for:

• Logging on to Windows computers
• Storage of cryptographic keys and certificates (X.509), e.g. for e-mail encryption via S/MIME.
• Access to corporate VPNs

On the Nitrokey 3, PIV is a supplement to FIDO2 and also to the OpenPGP Card:

• FIDO2 is optimal for modern, web-based authentication. It is directly supported by Microsoft Entra ID and can therefore be used for secure login to Windows-based systems, provided they are managed using MS Entra ID.
• For organizations that prefer or need to use on-premise systems such as Microsoft Active Directory, PIV allows secure two-factor logon to Windows systems. Users no longer log on to their Windows devices with their password, but securely and conveniently using Nitrokey and device PIN.
• OpenPGP Card is a smartcard that is primarily used with GnuPG, e.g. for e-mail encryption via OpenPGP.

By supporting both PIV and FIDO2, the Nitrokey 3 offers a versatile security solution that combines modern web authentication and traditional corporate environments.

In addition, firmware 1.8.0 for the OpenPGP Card brings support for additional cryptographic curves:

• NIST P-384
• NIST P-521
• brainpoolp256r1
• brainpoolp384r1
• brainpoolp512r1

All cryptographic keys of the OpenPGP Card, whether with the already supported algorithms RSA 2048-4096 and NIST P-256 or with these new curves, are stored tamper-proof in the Secure Element.

To update the firmware of your Nitrokey 3, follow these instructions.