Introduction

LuxTrust provides qualified electronic signatures (QES) using digital certificates, offering the highest level of legal assurance for electronic transactions in compliance with eIDAS regulations. LuxTrust is a Luxembourg-based trust service provider offering digital certificates that provide qualified electronic signatures with legal equivalence to handwritten signatures.

LuxTrust authentication is ideal for organizations requiring strong signature assurance for high-value transactions, regulatory compliance, and situations where qualified electronic signatures are mandated by law or business policy. LuxTrust digital certificates provide the strongest form of electronic signature available in the European Union under eIDAS regulations, with the same legal standing as handwritten signatures.

LYNKS supports multiple LuxTrust device types, allowing users to choose the authentication method that best fits their working environment and mobility needs.

LuxTrust Devices

LuxTrust supports multiple device types for authentication and signing, each suited to different use cases and working environments.

Device Type	Description	Use Case
SmartCard	Physical card with embedded chip requiring card reader	Desktop workstations with card readers, office environments
Signing Stick	USB device containing digital certificate	Portable authentication across different computers, traveling users
LuxTrust Mobile App	Mobile application for certificate-based authentication	Mobile device authentication and signing, on-the-go approvals

SmartCard

The LuxTrust SmartCard is a physical card similar to a credit card containing an embedded cryptographic chip. The SmartCard requires a card reader connected to your computer and provides the highest level of physical security through chip-based certificate storage.

SmartCards are ideal for users working primarily from fixed workstations with card readers installed, such as treasury departments or back-office operations.

Signing stick

The LuxTrust Signing Stick is a USB device that contains the user's digital certificate. It functions like a SmartCard but connects directly to any computer's USB port without requiring a separate card reader.

Signing Sticks provide portability for users who need to authenticate from multiple computers or locations while maintaining high security through physical device possession.

LuxTrust mobile app

The LuxTrust Mobile App brings certificate-based authentication to mobile devices, enabling users to authenticate and sign transactions using their smartphone or tablet. This option combines the security of LuxTrust certificates with mobile convenience.

Authentication flow

The LuxTrust authentication process varies by device type but follows similar security principles requiring certificate selection and PIN entry.

SmartCard authentication

The SmartCard authentication process:

User clicks "LuxTrust" on the LYNKS login screen
User selects "SmartCard" as the device type
User inserts SmartCard into connected card reader
System detects SmartCard and reads available certificates
User selects the appropriate certificate from available certificates
User enters LuxTrust PIN to unlock the certificate
LYNKS validates the certificate and grants access

LuxTrust certificate selection screen for SmartCard or Signing Stick

Signing stick authentication

The Signing Stick authentication process follows the same steps as SmartCard:

User clicks "LuxTrust" on the LYNKS login screen
User selects "Signing Stick" as the device type
User inserts Signing Stick into computer's USB port
System detects Signing Stick and reads available certificates
User selects the appropriate certificate
User enters LuxTrust PIN
LYNKS validates the certificate and grants access

The technical process is identical to SmartCard authentication, differing only in the physical connection method (USB port instead of card reader).

LuxTrust mobile app authentication

The mobile app authentication process:

User clicks "LuxTrust" on the LYNKS login screen
User selects "LuxTrust Mobile App" as the device type
User enters User ID and password in the authentication form
LuxTrust Mobile App validates credentials against LuxTrust infrastructure
LYNKS receives authentication confirmation and validates user identity
LYNKS grants access to the platform

LuxTrust Mobile App authentication screen showing User ID and password entry

Qualified electronic signatures

LuxTrust provides eIDAS-qualified electronic signatures (QES) that are legally equivalent to handwritten signatures across the European Union and recognized in many other jurisdictions.

Legal framework

Qualified electronic signatures under eIDAS regulation:

Have the same legal effect as handwritten signatures
Are admissible as evidence in legal proceedings
Cannot be denied legal effectiveness solely on grounds of being electronic
Are recognized across all EU member states
Meet the highest regulatory standards for electronic signatures

Signature requirements

Creating a qualified electronic signature with LuxTrust requires:

Valid LuxTrust digital certificate - Issued by LuxTrust after identity verification
PIN-protected access - Personal Identification Number known only to certificate holder
Certificate validation - Real-time validation through OCSP (Online Certificate Status Protocol)
Trust chain verification - Validation of certificate issuance chain back to trusted root

Signature creation process

When signing transactions in LYNKS with LuxTrust:

User initiates signature request (e.g., approving payment)
LYNKS presents transaction details for review
User confirms intention to sign
User authenticates with LuxTrust device and PIN
LuxTrust certificate creates cryptographic signature
LYNKS validates signature and certificate status
Transaction is marked as signed with qualified signature
Complete audit trail is recorded

Certificate lifecycle management

LuxTrust certificates have a defined lifecycle requiring active management to maintain continuous authentication capability.

Certificate issuance

LuxTrust certificates are issued after:

Identity verification meeting eIDAS qualified certificate requirements
Submission of required identification documents
Payment of applicable certificate fees
Device selection (SmartCard, Signing Stick, or Mobile App)
PIN creation for certificate protection

Certificate validity

LuxTrust certificates have defined characteristics:

Validity period - Typically 3 years from issuance date
Certificate type - Qualified certificate for natural persons
Key length - Cryptographic strength meeting eIDAS requirements
Usage restrictions - Defined scope for authentication and signature

Certificate renewal

Before certificate expiration:

Users receive renewal notifications from LuxTrust
Renewal process must be completed before expiration to maintain access
New certificate is issued with new validity period
Old certificate remains valid until expiration date
Overlap period allows transition to new certificate

Certificate revocation

Certificates can be revoked if:

Certificate is compromised or suspected compromise
Device is lost or stolen
User leaves organization
Certificate holder requests revocation
Regulatory or security requirements mandate revocation

LYNKS checks certificate revocation status during every authentication and signature operation through OCSP, ensuring revoked certificates cannot be used.

Certificate validation

LYNKS performs comprehensive certificate validation to ensure the integrity and validity of LuxTrust signatures.

Validation process

For each authentication or signature operation, LYNKS validates:

X.509 certificate structure - Proper certificate format and fields
Certificate trust chain - Valid issuance chain to trusted root certificate authority
Certificate validity period - Current date falls within certificate validity dates
Certificate revocation status - Real-time OCSP check confirms certificate not revoked
Certificate usage - Certificate authorized for requested operation type

OCSP checks

Online Certificate Status Protocol (OCSP) provides real-time certificate revocation checking:

Query sent to LuxTrust OCSP responder for certificate status
Response indicates "good", "revoked", or "unknown" status
Revoked certificates are immediately rejected
OCSP responses are cached briefly to optimize performance
Failed OCSP checks result in authentication failure for security

Trust chain verification

Certificate trust chain validation ensures:

Certificate issued by authorized LuxTrust certificate authority
All intermediate certificates in chain are valid
Root certificate is trusted by LYNKS
No breaks or compromises in certificate chain
All certificates in chain meet validity requirements

Configuration requirements

LuxTrust authentication requires configuration at tenant and user levels.

Tenant-level configuration

LuxTrust must be enabled for your LYNKS tenant:

LuxTrust authentication method enabled in tenant settings
OCSP responder endpoints configured
Trust chain certificates installed
Certificate validation policies defined
Per-tenant LuxTrust licensing (if applicable)

User-level configuration

Individual users must be configured for LuxTrust:

LuxTrust authentication method enabled in user profile
SSN (Social Security Number) entered for user identification
User must possess valid LuxTrust certificate
Certificate must be activated and PIN configured
User training on LuxTrust device usage

Prerequisites

Before enabling LuxTrust for users:

User must obtain LuxTrust certificate from LuxTrust
For SmartCard: Card reader must be installed and functioning
For Signing Stick: USB port access must be available
For Mobile App: LuxTrust Mobile App must be installed on device
User must know their certificate PIN
User SSN must match certificate identification

Security features

LuxTrust provides multiple layers of security for authentication and signatures.

Physical security

Device-based security features:

SmartCard/Signing Stick - Physical device possession required
Chip protection - Cryptographic operations performed on secure chip
Tamper resistance - Devices designed to resist physical attacks
PIN protection - Multiple failed PIN attempts lock device

Cryptographic security

Certificate and signature security:

Strong cryptography - Key lengths meeting eIDAS requirements
Private key protection - Private keys never leave secure device
Signature creation - Cryptographic signatures using private key
Non-repudiation - Signatures cannot be denied by signer

Operational security

Usage and management security:

Real-time revocation checking - OCSP validates certificate status
Certificate lifecycle management - Controlled issuance, renewal, revocation
Audit trail - Complete logging of authentication and signature events
Qualified trust service provider - LuxTrust operates under eIDAS supervision

Common questions

Answers to frequently asked questions about LuxTrust authentication.

Getting started

What do I need to use LuxTrust with LYNKS?

You need a valid LuxTrust certificate on one of the supported devices (SmartCard, Signing Stick, or Mobile App), your certificate PIN, and your administrator must enable LuxTrust authentication for your user account.

How do I obtain a LuxTrust certificate?

Contact LuxTrust directly (www.luxtrust.com) to apply for a certificate. You'll need to complete their identity verification process and choose your preferred device type. Your organization may have a corporate agreement with LuxTrust for user certificates.

Can I use the same LuxTrust certificate on multiple devices?

No, each LuxTrust device contains a unique certificate. If you need to authenticate from multiple locations or devices, you can obtain multiple certificates or use the Signing Stick which is portable between computers.

Using LuxTrust

Which LuxTrust device should I choose?

Choose based on your working style: SmartCards for fixed workstations with card readers, Signing Sticks for portability between different computers, or the Mobile App for mobile device convenience. Your organization may have preferences or requirements for specific device types.

How long is my LuxTrust certificate valid?

LuxTrust certificates are typically valid for 3 years from the issuance date. You'll receive renewal reminders before expiration to ensure uninterrupted access.

What happens if my certificate expires?

You'll need to renew your certificate to continue accessing LYNKS with LuxTrust authentication. Plan your renewal with adequate lead time to avoid any service interruption.

Security

What should I do if I lose my SmartCard or Signing Stick?

Contact your administrator immediately so they can initiate certificate revocation. This prevents unauthorized access even if someone finds your device. You'll need to obtain a new LuxTrust certificate to regain access.

Is my PIN stored anywhere in LYNKS?

No, your LuxTrust PIN is never transmitted to or stored by LYNKS. The PIN is used locally on your device to unlock your certificate for creating signatures.

Why do I need a PIN if I have the physical device?

The PIN provides two-factor security: something you have (the device) and something you know (the PIN). This ensures that even if someone obtains your device, they cannot use it without knowing your PIN.

Best practices

Organizations should follow these best practices when implementing LuxTrust authentication.

Device management

Maintain inventory of issued LuxTrust devices
Establish device distribution and tracking procedures
Implement device return process for departing users
Store backup devices for critical users
Document device assignment in HR systems

Certificate management

Monitor certificate expiration dates proactively
Establish renewal reminder process for users
Plan certificate renewals with adequate lead time
Test new certificates before old ones expire
Maintain documentation of certificate lifecycle events

User training

Provide comprehensive LuxTrust training for new users
Document step-by-step authentication procedures
Create guides for common usage scenarios
Establish support channels for LuxTrust questions
Conduct periodic refresher training

Security procedures

Immediately revoke certificates for lost or stolen devices
Establish incident response process for device compromise
Regularly review user LuxTrust access
Audit LuxTrust authentication events
Maintain physical security for stored devices

Cost considerations

LuxTrust certificates and devices have associated costs that organizations should budget for.

Certificate costs

LuxTrust charges fees for:

Initial certificate issuance
Certificate renewal (every 3 years)
Device costs (SmartCard, Signing Stick, Mobile App license)
Certificate revocation and replacement
Annual maintenance or support fees

Cost optimization

Organizations can optimize LuxTrust costs by:

Planning certificate renewals to avoid rush fees
Bulk purchasing devices for new user onboarding
Selecting device types appropriate to user needs
Implementing proper device tracking to minimize losses
Evaluating alternative authentication for low-value transactions

Support

For assistance with LuxTrust configuration or technical support related to LYNKS integration, contact the LYNKS support team at [email protected].

For certificate issuance, renewal, or device-specific questions, contact LuxTrust directly at www.luxtrust.com or through their customer support channels.