Download the authoritative guide: Cloud Computing 2018: Using the Cloud to Transform Your BusinessFor several years now the smart card has been touted as the answer to a lot of authentication and security questions. It's sounded the death knell of the password year after year.
But the password hasn't shown any signs of going anywhere. The smart card, on the other hand, has had a slow start, with few companies jumping on board with it.
The tide may be turning, though... finally.
The U.S. government is pushing for smart cards to be issued to federal employees and contractors starting this October. While an official estimate has not been released as to how many cards will be issued in total, the Department of Defense alone reports that it plans on handing out 3.6 million cards to military personnel, employees and contractors.
''We're looking at an evolution here,'' says Mark Diodati, an analyst in identity and privacy strategy services at the Burton Group, an industry analyst firm based out of Salt Lake City, Utah. ''People have always talked about the revolution coming. It's not. You'll see federal employees carrying cards and then you'll see consumers carrying cards in the form of contactless debit cards. And then as Vista becomes commonplace out there, it will pick up more.
''Real commercial adoption will be driven by the Swiss Army knife aspect of it,'' he adds. ''Here's your card -- it gets you into the building and logs you onto Windows and then it'll buy your lunch in the cafeteria... People will start to look at this technology.''
A smart card doesn't appear all that different from a regular credit card, but this device will have a small, embedded computer chip, which can perform tasks and store information. The cards can be used, instead of traditional keys, to gain access to buildings. They can be used as digital wallets, loaded up with a certain amount of money that can be spent in corporate cafeterias, for instance.
But smart cards are getting the most attention for their network security uses. With the addition of smart card readers to corporate work stations, smart cards can be used along with a PIN code, creating two-factor authentication.
Neal Creighton, chief executive officer of GeoTrust, Inc., a major digital certificate provider based out of Needham, Mass., says growing network security concerns will be a major driver of smart card adoption over the next couple of years. ''The environments are a lot more ready,'' he says. ''The entire Microsoft system is ready for this. It's all integrated so smart cards can be used much more easily. In the past, you had to do a lot of integration work. Now, it's already there.''
At the RSA Security Conference last month in San Jose, Calif., Microsoft Chairman Bill Gates told the keynote audience that he finally has the right tools to supplant the password. Of course, this isn't the first time Gates has said the password is going the way of the dinosaur. In 1999, Microsoft unveiled its first stab at an alternative authentication technology -- the Passport single sign-on service. It died. The password lived on.
This time, Gates says he doesn't expect the password to die off over night. In three or four years, though, he says he seems them becoming part of the corporate security arsenal. And he's adding increased smart card support to Vista to back that up.
At Steag AG, an electricity generator and distributor based in Essen, Germany, they've been slowly but surely implementing smart card technology for the past two years.
Frank Pooth, IT project manager for Steag, says they started out issuing employee cards for access control to the physical buildings. Next, they'll move on to securing email with smart cards. Eventually, the cards also will be used for access to printers and scanners, as well as to pay for food bought in the company canteen.
''We won't give employees a second smart card,'' says Pooth. ''We will give them one employee cad that will solve all of our problems with access to the building and to IT resources... We don't plan to implement it on all systems at one time. We will take it step by step. It will take, for the whole company, three years.''
Pooth said they have taken on the project because it's making them more secure and it's saving them money at the same time.
''In combination with a single sign-on strategy, you have a more secure log-on technique,'' he says, adding that it will be cheaper to support one authentication system across the board, rather than a different system for every need. ''You combine what you know and what you have and that's the smart card. It's more secure.''
Falling Prices -- Increasing Sales
Creighton says a drop in the cost of smart cards and related technologies will play a big part in corporate America deciding to implement them.
''If you look at when the technology was really hyped, it was early and it wasn't easily integrated,'' he says. ''It was really expensive. That's where we were. Now it's integrated and at a much lower cost. All those components are there now so it's a much easier decision for people.''
According to Creighton, a company of 5,000 employees could deploy smart cards today for under $10 a user -- and that includes the cards and the readers.
That price should drop even a little more if smart card adoption is planned into periodic hardware upgrades, says Randy Vanderhoof, executive director of the Smart Card Alliance, a non-profit industry association based in Princeton Junction, N.J.
Vanderhoof notes that obviously an adoption will be more expensive if a company is starting from scratch, buying the cards and readers, paying for training. The key will be to upgrade to desktops and laptops that already come with smart card readers and technology built in.
''In most companies, they go through a desktop refresh every few years,'' he says. ''One of the options is to buy PCs with smart card readers already built into them or the keyboard... Companies will slowly migrate to smart cards as they upgrade.''
As for the password, Diodati says it will be hanging around for the foreseeable future.
''The password is a ubiquitous form of authentication that is never going away,'' he adds. ''There are legacy applications that will never open themselves up to PKI-based authentication... And there are going to be applications that are low-risk. Maybe you're not moving money around or doing something else that is high risk. Then a password might be the right level of authentication for that. They're portable. Everyone knows how to use them. They'll be around for quite some time.''