Friday, May 22, 2009

How to use a Smart Card?

One thing that I am seeing here in Europe is that there is a difference in how "Smart Cards" are perceived.

In the U.S., we're not too keen on them, and are mostly used for "proximity" functions, meaning we apply them to readers for physical building access. To verify Identity within applications, most organizations prefer to use muti-factor authentication with hardware tokens (e.g., RSA SecurID) Of course, passwords are still used to access physical systems as well, plus some activity in biometric authentication (fingerprint scanning) but this is still in an early adopter stage, but showing some promise with laptop manufacturers.

In Europe there is a potentially greater use for Smart Cards. They do the physical access functionality, but are also used to authenticate to enterprise hardware systems, clock in and out, provide digital signatures, VPN access and even pay for lunch in the company cafeteria.

So it would seem that there are some differneces, unless you're in the Executive Branch of government or attached to the Military. In both of those organizations, Smart Cards required for access and authentication.

Which model is right? Why do we rely on separate "badging" and "access" mechanisms in the U.S.? Is it because RSA got there first? Is it better to have these things separate to provide multi-factor and multi method (card and token) authentication?

2 comments:

Matt Flynn said...

Hey Matt,

I don't really agree with your assessment of the US. While at RSA, I spoke to many companies about their use of smart cards.

One issue I heard over and over is that the physical security industry just wasn't ready to use shared technology but everything seemed to be moving in that direction. RSA has tokens with smart card certificates and typical smart card form factors as well that can serve as an ID badge. In some cases, the same smart card form factor could also be used for physical access (depends on the system).

One thing to keep in mind, widespread use of smartcards means you need a reader at every terminal. A token (hardware, software, regardless of maker) can be used from any device (phone, laptop, home PC, hotel lobby, etc.).

And tokens can be easily disabled or swapped out. Certificates aren't that easy. If you encrypt with your cert, then lose your cert. Can you decrypt? if you have a good mgt. solution, maybe, but you get the idea.

Matt Pollicove said...

Matt,

Thanks for your thoughts on the Smart Cards. Can't say I've seen much outside of Government, but it's good to hear.

I think you touch on an excellent point though. What are the costs (and more importantly ROI) to moving to a Smart Card infrastructure compared to token based.

However, regardless of your security measures (tokens or cards) excellent management is required.

Sounds like a job for the IdM Provisioning system, eh? Of course we did that at MaXware for Secure Computing's PremierAccess.

Thanks for your thoughts!
Matt