For several years now the smart card has been touted as the answer to a
lot of authentication and security questions. It’s sounded the death
knell of the password year after year.
But the password hasn’t shown any signs of going anywhere. The smart
card, on the other hand, has had a slow start, with few companies jumping
on board with it.
The tide may be turning, though… finally.
The U.S. government is pushing for smart cards to be issued to federal
employees and contractors starting this October. While an official
estimate has not been released as to how many cards will be issued in
total, the Department of Defense alone reports that it plans on handing
out 3.6 million cards to military personnel, employees and contractors.
That means millions of Americans will become smart card holders over the
course of the next year. Couple that with the fact that the upcoming
version of Microsoft Windows adds increased smart card support and the
falling prices of both smart cards and their readers, and industry
watchers say smart cards may finally start to get some of the traction
that people have been expecting all along.
”We’re looking at an evolution here,” says Mark Diodati, an analyst in
identity and privacy strategy services at the Burton Group, an industry
analyst firm based out of Salt Lake City, Utah. ”People have always
talked about the revolution coming. It’s not. You’ll see federal
employees carrying cards and then you’ll see consumers carrying cards in
the form of contactless debit cards. And then as Vista becomes
commonplace out there, it will pick up more.
”Real commercial adoption will be driven by the Swiss Army knife aspect
of it,” he adds. ”Here’s your card — it gets you into the building and
logs you onto Windows and then it’ll buy your lunch in the cafeteria…
People will start to look at this technology.”
A smart card doesn’t appear all that different from a regular credit
card, but this device will have a small, embedded computer chip, which
can perform tasks and store information. The cards can be used, instead
of traditional keys, to gain access to buildings. They can be used as
digital wallets, loaded up with a certain amount of money that can be
spent in corporate cafeterias, for instance.
But smart cards are getting the most attention for their network security
uses. With the addition of smart card readers to corporate work stations,
smart cards can be used along with a PIN code, creating two-factor
authentication.
Neal Creighton, chief executive officer of GeoTrust, Inc., a major
digital certificate provider based out of Needham, Mass., says growing
network security concerns will be a major driver of smart card adoption
over the next couple of years. ”The environments are a lot more ready,”
he says. ”The entire Microsoft system is ready for this. It’s all
integrated so smart cards can be used much more easily. In the past, you
had to do a lot of integration work. Now, it’s already there.”
At the RSA Security Conference last month in San Jose, Calif., Microsoft
Chairman Bill Gates told the keynote audience that he finally has the
right tools to supplant the password. Of course, this isn’t the first
time Gates has said the password is going the way of the dinosaur. In
1999, Microsoft unveiled its first stab at an alternative authentication
technology — the Passport single sign-on service. It died. The password
lived on.
This time, Gates says he doesn’t expect the password to die off over
night. In three or four years, though, he says he seems them becoming
part of the corporate security arsenal. And he’s adding increased smart
card support to Vista to back that up.
Corporate Implementation
At Steag AG, an electricity generator and distributor based in Essen,
Germany, they’ve been slowly but surely implementing smart card
technology for the past two years.
Frank Pooth, IT project manager for Steag, says they started out issuing
employee cards for access control to the physical buildings. Next,
they’ll move on to securing email with smart cards. Eventually, the cards
also will be used for access to printers and scanners, as well as to pay
for food bought in the company canteen.
”We won’t give employees a second smart card,” says Pooth. ”We will
give them one employee cad that will solve all of our problems with
access to the building and to IT resources… We don’t plan to implement
it on all systems at one time. We will take it step by step. It will
take, for the whole company, three years.”
Pooth said they have taken on the project because it’s making them more
secure and it’s saving them money at the same time.
”In combination with a single sign-on strategy, you have a more secure
log-on technique,” he says, adding that it will be cheaper to support
one authentication system across the board, rather than a different
system for every need. ”You combine what you know and what you have and
that’s the smart card. It’s more secure.”
Falling Prices — Increasing Sales
Creighton says a drop in the cost of smart cards and related technologies
will play a big part in corporate America deciding to implement them.
”If you look at when the technology was really hyped, it was early and
it wasn’t easily integrated,” he says. ”It was really expensive. That’s
where we were. Now it’s integrated and at a much lower cost. All those
components are there now so it’s a much easier decision for people.”
According to Creighton, a company of 5,000 employees could deploy smart
cards today for under $10 a user — and that includes the cards and the
readers.
That price should drop even a little more if smart card adoption is
planned into periodic hardware upgrades, says Randy Vanderhoof, executive
director of the Smart Card Alliance, a non-profit industry association
based in Princeton Junction, N.J.
Vanderhoof notes that obviously an adoption will be more expensive if a
company is starting from scratch, buying the cards and readers, paying
for training. The key will be to upgrade to desktops and laptops that
already come with smart card readers and technology built in.
”In most companies, they go through a desktop refresh every few years,”
he says. ”One of the options is to buy PCs with smart card readers
already built into them or the keyboard… Companies will slowly migrate
to smart cards as they upgrade.”
As for the password, Diodati says it will be hanging around for the
foreseeable future.
”The password is a ubiquitous form of authentication that is never going
away,” he adds. ”There are legacy applications that will never open
themselves up to PKI-based authentication… And there are going to be
applications that are low-risk. Maybe you’re not moving money around or
doing something else that is high risk. Then a password might be the
right level of authentication for that. They’re portable. Everyone knows
how to use them. They’ll be around for quite some time.”