Bickford, Sun's Director of Corporate Technology Services, heads up the company's JavaBadge program, which aims to use one single smart card to replace a host of different functions. Initially, says Bickford, Sun -- like many companies which are exploring smart card technology -- will focus on security uses. Bickford uses her JavaBadge to enter her building in the morning. When she gets to her office, she inserts it into a smart card reader built into her computer, which identifies her to the system and, after requesting that she type in a PIN, allows her to log onto the Sun network.
Sun has used cards with magnetic strips as employee identification for years. But the mag strip on those card tends to wear off, and the data on it can get scrambled if placed too close to powerful magnets. And, most significantly, they can only hold a few hundred characters of data. Smart cards, on the other hand, typically store up to 32,000 bytes, and 64K cards are now starting to enter the market.
That means they can hold enough information to store a biometric identifier, such as a fingerprint or iris scan, along with the of the card holder's Public Key Infrastructure (PKI) data, which let them digitally sign documents and send and receive encrypted email.
Sun kicked off its smart card program early this year with a small pilot program involving about 200 users. This summer, says Bickford, it will give the new cards to 5,000 employees at one of its campuses, and if all goes well, will roll the cards out to the rest of the company in the fall. Sun has about 40,000 employees.
Sun is not the only company turning to smart cards:
A Management Challenge for IT
As smart card technology becomes more common, it is becoming easier to implement it. Smart card readers are now standard equipment on several models of Sun workstations, including the Sun Ray diskless workstation, and the Sun Blade. Hewlett-Packard is also offering workstations with built-in card readers.
But the technology poses other challenges. For one thing, the multi purpose nature of the cards means that IT departments don't necessarily own the technology by themselves. At Sun, the smart card program emerged several years ago when the company began realizing that different groups across the company were looking at using cards for widely different purposes.
"The IT department wanted to start deploying PKI certificates throughout the company, and was looking at a card just for that," says Bickford. "At the same time, finance and human resources were looking at cashless campus cards, and the corporate security people wanted to move from the mag strip readers on our doors to contactless proximity readers, which have less wear and tear and need less maintenance."
There can be "lots of logistical issues" in implementing a smart card project, says Lolie Kull, who manages the smart card project for the Bureau of Diplomatic Security at the U.S. State Department.
The State Department has provided about 20,000 of its employees with smart cards, which will be used to control entry to government buildings and embassies, as well as network access. So far, however, only the State Department's main Harry S. Truman office building in Washington, D.C. has been equipped with readers for the new cards. Installing readers on the remaining State Department facilities may take up to a year, says Kull, during which time employees who use more than one building will have to carry two cards.
Triple Threat to Hackers
There is also the question of security. The industry, not surprisingly, claims smart cards are safe. But in May, two researchers at Cambridge University reported that they had used duct tape, an camera flash and a standard laboratory microscope to read hidden data from a smart card.
Many industry experts say that method of attacking smart cards does not pose a threat, and claim that they may actually be more difficult to hack than other technologies. Smart cards pose a triple-threat to potential hackers, says Albert Leung, Business Development Manager for Java Card technology at Sun Microsystems. "Smart cards can combine three different types of authentication: what you know, like a password, what you carry physically -- the card itself -- and what you are, if you require a biometric measure like a fingerprint or retina scan."