Join Lisa Bock for an in-depth discussion in this video Using smart cards, tokens, and multifactor authentication, part of IT Security Foundations: Operating System Security.
When providing authentication, we can do this in one of three ways. What you know in the form of a password, a passphrase, a pin, or even a lock combination, what you have, such as a smart card, token device, or dongle, or what you are in the form of a biometric. For example, a fingerprint. A smart card is a credit card sized card that contains information on an embedded chip about the user such as credit and buying preferences, loyalty program data, and even medical information.
A smart card is a small device that contains a microchip that has data storage capabilities. It can store several forms of identification such as a fingerprint and a password. Available in several form factors such as cards, key fobs, and USB tokens. Uses include access control. For example, employee access and ID badges. Membership cards for nightclubs, VIP access cards, or preferred door entry cards.
Banking cards, used as credit or electronic purse used to store currency for purchases. Health care stores patient history and medical information, and also can be used for single sign on to log onto computers. The card itself can be contact or contactless. With a contact card, you must have contact with the device, physical contact. Contactless is radio-read smart cards, which allows the free movement of people through systems.
A smart card can be used as a security token. For higher security needs, we can store information such as a user's picture or fingerprints. It can hold encryption keys used for data encryption systems such as Microsoft's BitLocker or a software dongle where only licensed users can access the software. A software dongle looks simply like a flash drive. Smart cards are typically used as part of a multifactor authentication solution.
A user swipes the card into the smart card reader and the card will implement multiple forms of authentication such as a password or biometric identifier. The data is processed on the smart card, which eliminates the need for it to be transmitted to another machine, which in turn, helps reduce the threat of theft of data stored on a system. A smart card and a memory card are two different things. Both are considered tokens. A memory card can hold, but cannot process, information.
A smart card will hold information and can process information. There are some issues to consider. First of all, make sure that that smart card is compatible with the system that is in use. The organization would also have to consider the management of the cards within the organization. The smart card or token should be user friendly and portable. Keep in mind, cards can get lost and forgotten. Company logos should not be used on the card, and don't mark them as anything special.
Items to consider are possible future use for that card, such as adding encryption or biometric data. I'm at this webpage here where we can see the Department of Defense has provided developer support for a common access card. As we'll see and most likely in the future, a smart card or a token will be used in a lot of ways as part of a multifactor authentication system.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Creating strong passwords
- Understanding biometric security
- Adjusting permission behavior
- Enabling auditing
- OS hardening
- Using the Microsoft Baseline Security Analyzer
- Protecting email