Problem solve Get help with specific problems with your technologies, process and projects.

Security token and smart card authentication

Get advice on how to mitigate data theft from hackers with security token and smart card authentication technology, smart card readers and software.

A smart card is a small plastic card, about the size of a credit card, containing an embedded microchip that can...

be programmed to store specific user authentication information. The chip on a smart card can store multiple identification factors of a specific user (i.e. password and fingerprint). When the user swipes his or her card into a smart card reader, the card implements multiple factors of authentication, making the smart card system a viable option for two-factor or multifactor authentication.

Smart cards help to eliminate the threat of hackers stealing stored or transmitted information from a computer. The information is processed on the smart card, so it never has to leave the card or be transmitted to another machine.

On the downside, only a limited amount of information can be stored on a smart card's small microchip. For that reason, smart card encryption options are limited. Smaller or shorter encryption keys may be necessary, which heightens the chance of data compromise.

One-time password (OTP) tokens, also know as key fobs, are another form of authentication that require two factors: something you know and something you have. These tokens are programmed to generate and display new passwords at certain intervals. In order to access a system, a user must enter in his or her user ID and password, which is the first factor of authentication, (something you know) and then provide the PIN displayed on the token, which is the something-you-have authentication factor.

The PIN provided from the token is constantly changing -- approximately every 30-60 seconds depending on how it's programmed -- and that makes it extremely difficult for a hacker to use that PIN to gain malicious access. Even if the attacker successfully steals the PIN, by the time he or she enters it into the system it will have already changed.

While two-factor and multifactor authentication systems are better then single-factor authentication methods, they are not tamper-proof. One way an attacker can bust through two forms of authentication -- say, a user ID and password coupled with an OTP -- is by unleashing a man-in-the-middle attack (MITM). In a MITM attack, a hacker intercepts messages between the server and the authentication system. The hacker steals the credentials and then uses them to reset the user ID and password and obtain a new OTP. Now the attacker has full reign over the account using his own password and OTP.

Security token implementation

So how does an enterprise decide if security tokens are the right choice? The decision should ultimately be based on how well the technology will cooperate with its existing authentication system. User acceptance and maintenance are also important factors. The technology won't be popular if it is confusing and difficult to use, and if administrators have to invest lots of time into keeping it maintained.

When implementing a token system, encryption is essential to avoid attacks and ensure maximum protection. Be sure that the user ID, password and OTP PIN are encrypted. When it comes to OTPs, physical theft can be a more significant issue. If an attacker is able to physically steal your OTP, you are pretty much out of luck, so physical security and proper distributions are also essential elements to secure authentication.

Employee awareness training should be administered to educate employees on proper use of their tokens. It should be made clear that tokens should never be left at an employee's desk unattended.

Records should be kept of employees who received a token, and a verification process should be implemented to ensure that each specific token is being given to the proper employee.

   What is authentication?
   ID and password authentication
   Biometric authentication devices, systems and implementation
   Enterprise single sign-on: Easing the authentication process
   PKI and digital certificate authentication and implementation
   Security token and smart card authentication

This was last published in November 2008

Dig Deeper on Two-factor and multifactor authentication strategies