Is “what you have” more secure than “what you know”? At the end of the day, companies need to count the cost and decide if smart are preferred over passwords.
At the Microsoft IT Forum held in Copenhagen back in year 2004, chairman and chief software architect Bill Gates touted that the company will be using smart cards for both physical and logical access – a declaration made in conjunction with the announcement of a new .Net smart card.
The underlying reason for this strategy, according to Gates, is the weakness of the password as an authenticating mechanism, and the way forward is to use biometrics and smart cards.
The recent initiative isn’t the first time the Redmond – based company has attempted to jump on the smart card bandwagon – Gates had previously revealed plans for a Microsoft smart card, presumably to go head-to-head with the popular Java card operating system, back in Cartes 98. Then, however, the foray was short-lived and Java cards enjoy a measure of popularity that lasts till today.
Though Microsoft has been making use of physical (only) card access systems for a number of years, there is no better way to convince the world that you’re serious about something than to use it yourself. The fact is that the use of smart cards or tokens over passwords for secure access isn’t a new concept. And there really are compelling reasons to do so.
For one, users are notoriously bad at password management, though this isn’t entirely their fault-there are just too many passwords to remember, What usually happens is the same password will be used for different applications – intranet access, email servers, computer logins, domain logins etc. Rare is the user who bothers to remember different passwords for each and every application.
More common are the users who associate their passwords to easily remembered words or numbers like birthdays, phone numbers, names of pets and lovers etc. Obviously this is a security problem because of well – published ‘dictionary’ attacks or if an attacker manages to dig up some personal information about their victim.
It’s the users who have the hard-to-remember passwords who give the most trouble. They usually write them on post-it notes and stick them on their monitor, only to be changed when the cleaning lady accidentally disposes of them and a new password has to be assigned. Not only is this a security risk, but hassling an already over-worked system administrator is equivalent to angering the gods.
The industry has come to realise that one-factor authentication based on “what you know” has its practical weaknesses. Smart cards and tokens provide authentication based on “what you have”, and many implementations combine cards with passwords/PINs or biometric identification (“who you are”) for two-factor authentication, raising the bar on secure access. This makes the use of smart cards more attractive to environments where secure logical access is a priority. Popular implementations of secure access using cards revolve around the use of public key infrastructure (PKI), where the secret/private key is stored in the card. Key diversification also mitigates the risk in case a card is compromised, as different cards would have different keys.
It’s believed that a proper implementation of smart cards requires an infrastructure more complicated than what is required for the run-of-the-mill password identity management system, and therein lays the largest obstacle to adoption – recurring costs.
But corporations may be able to leverage off additional functionality by using the card as an authentication token, by utilising digital signature capability. For example, in the health and legal sector, professionals can use digital signatures to add the element of non-repudiation for official documents and communications.
To some, the investment required to integrate confidence and accountability into business processes beats getting sued.
At the end of the day, it’s up to individual corporations to weigh the costs and determine for themselves if migrating to multi-functional smart cards will improve security and add value to their business. For Microsoft at least, it’s clear where Gates has placed his bet.