Strong Authentication Using Smart Card Technology for Logical Access
Publication Date: November 2012
Organizations globally are implementing strong solutions for authenticating an individual’s identity before allowing that person to access computer networks, systems, and applications. Identity authentication comprises multiple steps. In general, an individual must prove his or her identity; a credential is then established that asserts proof of, or authenticates, the individual’s identity. Three types of determinants, or factors, can be required to tie an individual to an established credential: ownership (something you have, such as a card or badge), knowledge (something you know, such as a password or your mother’s maiden name), and inherence (something you are–biometric data, such as a fingerprint or iris pattern). The specific evidence an individual provides to support each factor (the card, the password, the fingerprint) is called an authentication token. Multiple factors can be required, and each can be supported by a variety of appropriate tokens, ranging from simple passwords to information encrypted using the public key infrastructure (PKI).
The increasing number and popularity of e-commerce business applications, the migration to cloud-based systems, critical requirements by employees and customers for remote information access, and the move to bring-your-own-device implementations all argue for strong authentication. Organizations that have been victimized by security breaches also recognize the necessity of protecting systems and information from increasingly sophisticated attacks. And government regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), now mandate information security and employee, patient, and consumer data privacy.
Strong authentication has no precise definition; it is not a strictly mathematical concept with quantitative measurements but rather a qualitative measure that is evaluated using a relative scale. The strength of an authentication process depends on the number of factors involved, the reliability of the token associated with each factor, and the confidence level that an authentication token is neither compromised nor circumvented.
Smart card technology provides an excellent platform for implementing strong authentication. Smart cards can support and protect authentication tokens, storing password files, PKI certificates, one-time password seed files, and biometric image templates securely. The card can also generate asymmetric key pairs. A smart card used in combination with one or more authentication tokens provides strong multifactor authentication that significantly strengthens logical access security. Smart card technology also permits authentication tokens to be carried on a single smart card. The single smart card can be used for both physical and logical access authentication, enhancing the security and privacy of the overall authentication process.
In addition, smart cards can support a variety of the applications used by many organizations, including password management, virtual private network authentication, e-mail and data encryption, electronic signatures, secure wireless network logon, and biometric authentication. Smart card technology is available in multiple form factors, such as a plastic card (with contact or contactless communication capabilities, or both), a USB device, or a secure element that can be embedded in a mobile phone or other device.
Multiple industries already use smart card technology for strong authentication, including banks, manufacturers, business and government consulting firms, and universities. The most striking example of such use is the Federal government’s adoption of smart card technology for the Personal Identity Verification (PIV) card mandated by Homeland Security Presidential Directive 12 (HSPD-12). Different use cases are included in the white paper that describe how smart card technology-based strong authentication can be incorporated into enterprise employee identity credentials, consumer online banking identity credentials, and patient and provider healthcare cards. A card-based identity credential can also be used to support payment applications, such as transit fare payment.
The intelligent use of smart cards can be critical to the security backbone of an organization’s identity management system, supporting the strong authentication required to validate any individual who accesses that organization’s information resources.
About the White Paper
The Smart Card Alliance Access Control Council developed this white paper to discuss the benefits of using smart card technology for strong authentication for logical access.
Participants involved in the development of this document included: AMAG Technology; Consult Hyperion; Damalas LLC; Marty Frary; Gemalto; GSA; HID Global; HP Enterprise Services; Identification Technology Partners; Identive Group; IDmachines; IQ Devices; LaChelle LeVan; NagraID Security; NXP Semiconductors; Oberthur Technologies; Roehr Consulting; SAIC; U.S. Department of Defense/Defense Manpower Data Center; U.S. Department of State.
About the White Paper
The Smart Card Alliance Access Control Council is focused on accelerating the widespread acceptance, use, and application of smart card technology for physical and logical access control. The group brings together, in an open forum, leading users and technologists from both the public and private sectors and works on activities that are important to the access control community and that will help expand smart card technology adoption in this important market.