Security /

In real life, smart cards are gaining on passwords alone

By Daniel Blum
Network World, 07/16/01

An early scene in the new movie "Swordfish" shows a hacker with a gun to his head, fingers flying fast and furious, cracking into a site seconds before his time limit expires. Later, I thought that if only the site in question had required smart card logon, the movie could have ended there and spared us another hour of unbelievable plot line and overdone special effects.

But like many sites, the fictional one in "Swordfish" relies on passwords, an increasingly frayed authentication solution. With password-cracking programs, dictionary attacks and ever-increasing computational power, it's gotten so the only "strong password" is a long gibberish character string you can't remember - but better not write down.

Smart cards and other access tokens rely on one-time-only passwords, challenge-response phrases or public-key security to dramatically increase authentication strength.

Each token adds another authentication factor by requiring that users possess the physical device, and most require that users remember a password. Smart cards are particularly interesting because they can enable encryption and digital signatures in addition to authentication.

Two-factor authentication is almost always better than one-factor. Actual authentication strength depends just as much on authentication policy as it does on authentication mechanisms. Configure a system to require strong passwords, make users change them monthly and lock all accounts after three invalid access attempts, and you've got medium-strength authentication.

Using a smart card with strong management policies and strong passwords yields high-strength authentication. But use a smart card with weak passwords and leave the card lying around, and you're back to medium-strength at best.

Unfortunately, there's no free lunch. Strong password policies significantly increase help desk, training and administration costs, while smart cards generate substantial hardware and support costs. You have to pick the right point on the cost/risk spectrum for your company or application.

What about smart card support costs? On the bright side, JavaCard technology, Windows XP and Windows .Net servers all do a pretty good job of integrating cards with operating systems and applications. Veteran security vendors are getting into the action. But smart card management remains challenging, requiring at least some support for complex public-key infrastructure (PKI) and smart card lifecycle management, including card password/personal identification number reset, and data recovery.

But the water's definitely getting warmer. As you plan your hardware and software rollouts, consider at least prestaging card readers or other devices so you'll be ready for this technology. Also, study smart card and PKI options in your security architecture planning.

Now if only that also would make it possible to get better movies out of Hollywood.