Using smartcards to log on to PCs
By Dan Isaaman, Technical Director, Smartcard Focus
Theft and sensitive data loss
Despite the many stories of laptops left in taxis, and the sensitivity of the data that they carried, it's amazing that a laptop is stolen every minute and that 97% are never recovered. While a lost computer may cost under £1000 to replace, the loss of documents, project management data, personal identity information and contact data could prove to have a much higher value.
The same applies to desktop PCs, even when they reach the end of their life and are disposed of. Many cases of industrial espionage and corporate ‘hacking’ can be traced back to insecure passwords and inappropriate or non-existent management of user logon accounts.
Although smartcard-based authentication may not prevent a theft in the first place, or guard against sheer forgetfulness, it can stop many attempts to read private data, can help to prevent ‘leakage’ of passwords, and can improve tracking and accountability throughout an organisation.
Unfortunately, people forced to use passwords are often inclined to pick either very simple ones (which are easy to ‘crack’ or guess) or otherwise they often write them down. Many also use the same password for everything.
Studies have shown that the average person cannot remember more than 6 random numbers and letters unless these are firmly committed to memory, while it's common for organisations to require 8 character ‘complex’ passwords, which may change frequently.
Wherever user authentication is used, it’s vital that the only right people are able to access the information that they are authorised to see. By using smartcards, we can increase the level of security for authentication, while at the same time improving the user experience.
It’s common knowledge that the best option for improving security over and above the use of a username and password is to combine ‘what you have’ with ‘what you know’. This is called two-factor authentication, and is the same principle used to secure chip-and-PIN transactions.
Smartcard (what you have)
PIN (what you know)
Two factor authentication solutions can be implemented in several ways, involving either a smartcard or another kind of secure device such as a plug-in USB token or a stand-alone key-ring or ‘calculator-style’ passcode generator.
In all cases, you are now authenticating the person as well as the device. This is essential for improved security, particularly for organisations with a mobile or changing workforce. Mobile workers can sometimes be the most highly valued in any company and often carry the most sensitive data with them.
While the use of two-factor authentication can improve security, it becomes impractical for typical systems or organisations to implement separate secure log-ins for each application. This might end up with a user having separate cards or tokens (and PINs!) for logging onto their PC, accessing email, logging into corporate applications and using, say, online banking services.
The solution is ‘single-sign-on’ (SSO), which uses one secure authentication process to validate the user, and then allows multiple applications to be accessed under common control, even if they still use ‘old-fashioned’ passwords.
Smartcards have been used for some time in various industries, notably banking and mobile telephony. In all cases, they represent one of the most successful ways of providing a secure, tamper-proof means of storing sensitive information. Whether this information is simply your password, or a set of complex encryption keys, is unimportant. The success of the smartcard relies on its familiar format – something that people are used to carrying – as well as the industry’s ability to continue to innovate and protect people’s data safely and inexpensively.
The increasing growth of the smartcard market, and the fact that it is based on strong international standards, has meant that the costs of both cards and PC-based smartcard readers have dropped considerably. A high quality USB reader now retails at £20 or less, while cards with powerful on-board data storage and encryption facilities cost less than £10.
It is not surprising, therefore, that there has been a rapid expansion in the number of available software solutions providing various different levels of authentication and security protection for PCs and networks. These solutions generally fall into three groups:
- Local password storage - storing existing logon account details locally (eg your username and password is stored on a card, and protected by a PIN.) This can be enhanced with SSO facilities for local applications.
- Central password storage - Storing existing logon account details centrally (eg your username and password is encrypted and stored on a server, with the card providing the decryption key and being protected by a PIN.) This can also be enhanced with SSO, managed centrally.
- Central password replacement - Typically used in larger organisations, public key infrastructure (PKI) systems effectively replace usernames and passwords with a standardised identity management system based on digital certificates, which can be stored securely on a smartcard along with your private keys. Such schemes can also include SSO facilities, but normally each application is ‘PKI-enabled’ to use the full identity management facilities provided by the infrastructure, which is built to suit the organisation.
Smartcards can be the “what you have” component in all of these two-factor authentication schemes, and the “what you know” is usually a passcode or PIN.
Local password storage solutions
Storing a username and password on a smartcard is the simplest and easiest way to add security to your PC. This kind of solution does not need any real investment of time or resources for central management, and therefore has a very low total cost of ownership.
Typically, an existing networked infrastructure of client and server PCs can be secured irrespective of whether they are based on ad-hoc “workgroup” or centralised “domain-based” management, since the essential username and password login system remains the same. The smartcard logon software simply changes the standard Windows logon box, and adds the facility to retrieve these details from the card (subject to correct PIN entry) and then submit them automatically.
Once such a solution is up and running, it’s perfectly possible for a card to store much more complex passwords which improves security, while at the same time reducing the number of "forgotten password" incidents and ensuring people don't write passwords down any more.
Some solutions go further and offer additional features such as hard-drive encryption and secure storage of notes, bookmarks and web sign-on details.
Central password storage solutions
This kind of solution can be useful for larger organisations who prefer to use a centralised management platform such as Active Directory for their network and user base. This is one step away from PKI implementations, which can be more expensive and resource-intensive both to set up and to manage, while still offering many of the benefits in terms of identity management.
Good centralised logon solutions can offer a range of facilities alongside smartcard-based Windows logon, such as single-sign-on, where passwords for multiple applications can be stored and recalled automatically, all tied to a single card and user.
The central management also adds the ability to remotely control user access rights, for instance when employees leave, as well as specific behaviour, such as whether to log users off automatically when their card is removed.
Public Key Infrastructure
PKI solutions tend to be used in larger corporate environments, government departments and other situations where legality, authorship, traceability and interoperability are key factors. PKI uses the concept of digital certificates that are issued to individuals (or other entities, such as web servers) by a central “authority”. Certificates can be used both for authentication to remote and local networks, and also to digitally sign documents and other activities where strong security and legal identity verification are involved.
Luckily, much of the necessary software is already available “for free” in the Windows Server environment, as well as Netscape-based applications (eg Mozilla Firefox and Thunderbird) although advice and documentation on the subject is somewhat scarce. The Microsoft implementation is, as one might expect, Windows-specific, but there are other providers of more comprehensive middleware that can be purchased to run on many different operating systems, and to integrate with many third-party solutions. This can enable a web of security to be constructed covering electronic signatures on documents and emails, secure remote access and VPNs, secure login authentication and more.
For Windows platforms, all that is needed to implement a simple PKI scheme within an organisation is a suitable smartcard that can store the cryptographic keys and certificates for each user, plus what is known as the “Crypto Service Provider” (CSP) software module that accompanies that card. The system administrator must then install and operate the central Certificate Authority (CA) server software, which is responsible for creating and managing user certificates, and which integrates seamlessly into the existing Active Directory environment.
Putting the user’s PKI certificate on a smartcard means it's both portable, so the holder can be authenticated when using different machines at other offices, and secure, because the encryption keys are protected from access. It also enables seamless integration with other secure authentication systems such as VPNs and SSL.
Physical access control
Another benefit of using a smartcard-based log-on solution is that, with little additional effort, the same cards can be made to work with door access and other physical access systems. There are several technical approaches to this, but by choosing the right kind of card, often one that simply has both a smartcard chip (for log-on) and a contactless chip (for door access) in the same piece of plastic, the two systems can be implemented independently of each other.
Smartcard products and solutions
Smartcard Focus is a value-added distributor and reseller of smartcard products, including different types of cards, readers and ready-made software packages that can be bought off-the-shelf and implemented by most PC users and IT departments.
Based in the UK, the company has extensive experience and technical know-how built up over many years, and relationships with many of the world’s premier manufacturers in this industry. For various smartcards and PC logon solutions, please browse our web site or contact us with your specific requirements.