How to choose the right smart card

If you're reading this, chances are your organization has taken the plunge and decided to deploy smart cards to its employees. The decision may have been based upon the desire to improve Windows and/or enterprise single sign-on (SSO) authentication. Perhaps the organization wants to pursue physical and logical convergence -- merging IT application access with facilities access -- using the "Swiss Army Knife" of identity and access management: the smart card.

The most important choice is the smart card form factor. Smart cards come in two forms: credit card-sized (known as ISO 7816) or USB token. Despite the form factor, the smart card technology is usually identical. Both form factors share a common logical personalization process (that is, the configuration of the smart card for a specific user) and provide logical services, like authentication to Windows, enterprise SSO and Web servers. It's the form factor's physical differences that make them suitable for different uses.

The ISO 7816 form factor is the most commonly deployed smart card in the enterprise, not coincidentally because it supports identity badging, graphical personalization with both corporate and user information that enables visual identification of the user.

The ISO 7816 form factor also supports physical access via its contactless interface. By simply waving the smart card near a door reader -- featuring an electromagnetic field to provide both power and a data path to the smart card -- the door opens upon successful authentication.

The most common contactless buildin...

With all the advantages of the ISO 7816 form factor, why even consider the USB token form factor? The most notable reasons are simpler desktop configuration and potentially reduced cost. USB smart cards don't need a reader; they plug into a desktop's USB port. ISO 7816 cards require a smart card reader at the desktop.

One additional advantage of the USB smart card form factor is that it can be coupled with a traditional one-time password (OTP) device. OTPs have a liquid crystal display that highlights a unique numeric password. OTPs remain the default strong authentication mechanism within the enterprise today because, unlike smart cards, they don't require client software.

While the converged USB smart card-OTP device provides maximum application coverage, it sells for a premium over the standard USB smart card. It may be more cost-effective to restrict these devices to a user subset, such as road warriors that require access to enterprise resources from kiosks while on the road.

To summarize, the ISO 7816 and USB token smart card form factors are nearly identical from a technology perspective, and both provide logical authentication services. The ISO 7816 smart card is the better choice for physical access and/or identity badging. Conversely, the USB token format is more rugged and is a better fit in order to avoid deploying smart card readers to the desktop, or if there is a need to combine both OTP and smart card functionality.

About the author:
Mark Diodati, CPA, CISA, CISSP, MCP, CISM, has more than 16 years of experience in the development and deployment of information security technologies. He has served as vice president of worldwide IAM services for CA, as well as senior product manager for RSA Security's smart card, SSO, UNIX security, mobile PKI and file encryption products. He has had extensive experience implementing information security systems for the financial services industry since starting his career at Arthur Andersen & Co. He is a frequent speaker at information security conferences, a contributor to numerous industry publications, and has been referenced in a number of academic and industry research publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   Future authentication technologies: How to choose the right product,   Identity and Access Management Security School,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    << PREVIOUS | NEXT >>: Quiz: Next-generation authentication VIEW ALL IN THIS CATEGORY RELATED CONTENT Network Security Tactics Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Security Token and Smart Card Technology First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Embedded smart card chips are open to hack attacks Future authentication technologies: How to choose the right product Quiz: Next-generation authentication RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.