What are the pros and cons of using a smart card for enterprise authentication?
In a recent question regarding password strength, it was pointed out that passwords are a weak solution that require many processes and a lot of education in order to work as a strong authentication service. For strong authentication, it is agreed by most that smart cards (or two-factor authentication) are still a better choice.
Smart cards provide higher assurance levels for authentication since the user needs to provide both something they have (the smart card) and something they know (a PIN or password) to gain access. Smart cards also provide tamper-proof storage of user and account identity.
In addition, multifunction cards can serve as physical/network/system access and store certificates along with other data. By incorporating smart cards, username/password compromises are eliminated, and a person can't deny participation in a transaction due to the non-repudiation that smart card-based authentication provides.
Of course, smart card deployments have a number of issues as well. Physical issuance can be difficult for large populations of users. Legacy applications must be modified to accept smart cards in lieu of passwords, or infrastructure services must be used as initial entry points for the applications e.g. Web-access management systems, portals, SSO platforms, etc.). Enterprises must develop policies for the use, protection and collection of smart cards at employee termination. Physical and logical authentication devices and servers must share services -- something a lot of facilities and IT personnel aren't comfortable with.
And what about costs? Smart cards are physical devices and must be purchased and maintained. Smart cards, along with their configuration and management systems, require capital investment, something there may not be a lot of in the current economic climate. Finally, there's the loss issue. Since physically having a smart card is required for authentication, what does an enterprise do if an employee looses or leaves his or her smart card at an unknown or public location?
Smart cards can provide a tremendous benefit when it comes to accessing sensitive information securely, but they also require an architecture that clearly understands their use and also benefits the organization.