Back in the day, physical and digital security was one and the same. Securing your mainframe was a matter of putting...
it in a locked room.
Over time, digital and physical security have grown apart, but the use of smart cards represents one way the two areas are meeting again.
"I don't think we'll ever see the 'Year of the Smart Card,'" said Ennio Carboni, product manager for smart badging solutions at Bedford, Mass.-based RSA Security Inc., which sells smart cards. "They are evolutionary, not revolutionary. You don't need to pull out all your systems and start anew."
Companies are slowly turning to smart cards as a combination keycard for entering the building and for authenticating network access. By combining such functions, companies can lessen the headaches associated with super-strict password policies.
Additionally, employees are unlikely to forget their smart cards if they can't get into the building, log in to the network or buy lunch at the cafeteria without them, Carboni said.
Most smart cards only have 32K bytes of memory, roughly the computing power of a Commodore 64, said Benjamin Jun, vice president at Cryptography Research Inc., a San Francisco-based consulting company. "In terms of computing power, they don't have much value. Their primary advantage is security."
Smart cards offer a very secure way for users to authenticate themselves. With a smart card, a user can prove he possesses a secret (a digital certificate or token) but without revealing that secret, Jun said. Essentially, the system that the user is trying to access sends the card a random number. The card then does a transaction and sends it back. This process allows the system to verify the person is whom they purport to be.
Passwords, on the other hand, can be learned and then use to access your account. "With smart cards, the information used in one transaction isn't useful in future transaction," he said.
Currently, a popular use for smart cards is as a payment method, because they offer a method of offline authentication. This is popular in Europe, because the long-distance telephone infrastructure makes it expensive to confirm credit card numbers.
Smart cards can also be used as a secure yet easy way to log in to networks. All a user would need to do is remember a short PIN and bring the smart card to get network access. Two-factor authentication offers more security without long, complex, hard-to-remember passwords. Smart card keys are "substantially better than anything you can keep in your head," Jun said.
Smart cards can also ease the burden on help desks, because users aren't constantly looking for help with lost passwords. Systems can be set so they lock out a card when five wrong PINS are entered.
One of the major hurdles for smart card adoption is the difficulty of integrating the card systems with existing IT infrastructure, said Randy Vanderhoof, executive director for the Smart Card Alliance Inc., which is based in Princeton Junction, N.J. "When every desktop has to be fiddled with and configured, then the business case for smart cards is questioned," he said.
But things are changing.
Both Windows 2000 and Windows XP offer much better support for smart card usage. Dell Computer Corp. is offering systems with smart card readers pre-installed. "We are seeing the infrastructure changes that will ease smart card implementation," Vanderhoof said.