Smart cards are cards or cryptographic USB tokens that are used for a number of authentication purposes, including physical access (buildings, rooms), computer and network access, and some secure remote access solutions (virtual private networks (VPN), portals).
The key difference from proximity cards is that smart cards contain an embedded smart chip that enables the cards to securely store and exchange data with readers and other systems.
Smart cards are frequently implemented by government agencies because they are seen as a good option for complying with government regulations, such as the Defense Federal Acquisition Regulation System (DFARS) and International Traffic in Arms Regulations (ITAR).
You’ve likely used smart cards before. You’ve probably even heard about their touted security benefits. But what exactly are the benefits of smart cards when it comes to authentication? Should you believe the security hype? Let’s take a closer look at how smart cards work, as well as their benefits and drawbacks.
How does smart card authentication work?
There are two kinds of smart cards: contact and contactless. With contact smart cards, the smart card is inserted into the reader, and the card’s contact plate makes physical contact with the reader to transmit data.
With contactless smart cards, the card just has to be held close to the reader, and data is transmitted via radio frequency (RF).
With both card types, the user then enters the associated PIN, and a key exchange occurs with the operating system or application to validate the certificate and associated keys.
Smart Card Authentication Benefits
A More Secure Credential
Due to advanced cryptographic capabilities, smart card authentication is more secure than using passwords, RFID, or magnetic stripe cards. Plus, by using a PIN with the smart card, you get an added layer of security. So, even if a smart card is stolen, a would-be thief needs to know the PIN in order to use it.
Smart cards are also tamper-resistant and difficult to hack, clone, or counterfeit. They are manufactured with built-in security features, including metal layers, sensors that detect thermal and UV light attacks, and software and hardware circuitry to thwart differential power analysis security countermeasures.
In addition, smart cards contain cryptographic elements that protect the information stored on the card and require secure methods to retrieve stored information.
Smart cards are convenient because a single card can serve multiple purposes, eliminating the need for the user to carry multiple cards. For example, one smart card could be used for physical building access, secure computer and network access, and as a user ID (employee, patient, visitor, government, and so on).
The chips embedded in smart cards make it possible to add, store, and update information on the card, including patients’ protected health information (PHI), even after the card has been issued.
Ease of Use
Smart cards are lightweight, easy to carry, and offer streamlined access. Because smart cards are already widely used for a number of purposes, such as credit cards, most people are already familiar with them and how they work.
Smart Card Authentication Drawbacks
There is a significant cost associated with purchasing and managing smart cards and readers. A complete smart card authentication system is expensive to build, customize, secure, deploy, and replace.
Although there are many inexpensive reader options, smart cards themselves are typically more expensive than other options, such as proximity-based RFID cards and magnetic stripe cards. On average, they cost about $50 per card to deploy if the issuance costs are included on top of the physical card production. These costs can add up when replacing cards for hundreds or thousands of employees.
The costs and effort associated with purchasing, customizing, and implementing smart card authentication systems makes deployment a much greater hurdle than it is for other authentication methods. Moreover, many organizations have existing card and reader technologies in place. Ripping and replacing these existing investments involves substantial effort and cost, preventing many from making the shift, despite the enhanced security features smart cards have to offer.
Not the Be-All, End-All for Security
Although smart cards are often touted for their security, there are some security downsides. Smart cards won't help in scenarios where cyber attacks result from unpatched software or tricking a user after the initial logon. Once the smart card user’s computer is compromised, it’s possible to manipulate the card’s client software, copy the digital certificate out of the local cache (if present), and keylog the user’s PIN.
Can Be Lost or Stolen
Because smart cards are small and lightweight, they are easily lost or stolen. Although they require a PIN to deter would-be thieves, these cards can also contain sensitive personal information, such as financial and PHI. If this type of data is accessed, there could be serious consequences, such as identity theft. Additionally, because smart cards are often used for multiple functions, it is more inconvenient for the user when a card is lost.
Breakable Form Factor
Another concern is that smart cards are typically made of flimsy plastic that can be broken with relative ease. This is particularly an issue with active user populations, such as military personnel, maintenance workers, and other users who don’t work behind desks.
Are Smart Cards Right for Your Organization?
Smart cards are a multi-purpose option for organizations looking to couple physical and digital access. They also offer stronger security than many other types of credentials.
However, there are higher costs and greater effort associated with purchasing, customizing, and deploying smart card authentication, so there may be more affordable and secure alternatives that meet your organization’s needs.
If smart cards align with your organization’s priorities, finding a solution with the right capabilities is crucial to minimizing the associated time, effort, and costs. We recommend going with a fully integrated smart card management solution that:
- Manages the creation and lifecycle management of smart card devices and PKI certificates out of the box
- Provides broad support for contact and contactless smart card technology in card and token forms
- Delivers all the necessary components to successfully deploy, manage, and use smart card technology with PKI, including the smart cards, smart card readers, smart card management, PKI certificate management, and professional services
Whether you decide to implement smart card authentication or not, selecting a comprehensive authentication platform, such as RapidIdentity, that offers flexibility and a broad range of authentication methods will help your organization better balance its security needs, compliance requirements, and end-user experience.