Chevron early next year plans to eliminate the last of 50,000 network passwords, finalizing a transition to a smart card-based system designed to dramatically increase security and privacy while cutting costs.

In January, users in 200 countries and in 1,800 offices worldwide will have no other means to log on to the network and gain access to resources other than their Chevron SmartBadge, a plastic card with three chips that support building and network access, desktop logon and single sign-on to nearly 3,000 applications.

The password's death is a milestone four years in the making. During that time, the oil giant has been rolling out SmartBadge and the infrastructure to support two-factor authentication on a single card as its corporate identity, privacy and security standard.

Two-factor authentication is based on something you have and something you know. In Chevron's case that is the SmartBadge and a PIN.

Other companies use badges that combine building and network access, but Chevron is the pioneer for also including desktop logon, certificates for digital signatures and encryption, and single sign-on.

"This project has been going on for a long time, mainly because we decided not to go with a big-bang approach," says Edmund Yee, an emerging technology team leader in Chevron's Information Technology Company.

"We wanted to bring in pieces in small, achievable chunks and then keep on expanding," he says.

Yee and Schlumberger, the project's systems integrator, have no doubt they took the right approach, which included a yearlong effort to define governance and policy standards.

"Getting into systems securely and being able to do things like digital signatures, encrypting drives and data encryption - that is where this starts to touch business processes and where you get into formally auditing events and establishing non-repudiation," says Greg Salyards, practice manager at Schlumberger.

Salyards says the SmartBadge lets Chevron transform critical corporate decisions that were once just paper trails into digital records. Another result has been a 70% reduction in the nearly 4,000 password resets Chevron was performing each month.

In addition, Chevron, which is considered critical infrastructure under the federal government's Department of Homeland Security, is out in front of the requirements outlined in February's Homeland Security Presidential Directive.

Salyards says the cost - not including services - was $50 per user for the cards, readers and software. Chevron won't disclose what it spent on SmartBadge or what its overall cost savings have been, but Yee says the ROI was immediate.

Getting started

In 2000, Yee says, Chevron began to refresh servers, desktops and network security. The project heated up nearly a year later, after a merger with Texaco that created a need for new employee badges, and the Sept. 11 terrorist attacks. It was then that Chevron's board made an ongoing study of two-factor authentication part of a mandate around improvements to security.

In November 2001, the SmartBadge pilot launched, which amounted to Phase 3 of the now-official project. The majority of the badges rolled out in 2002 and by early 2004 were being activated.

The activation milestone drew an in-person visit in February 2004 from Microsoft's Bill Gates, who was on his way to the RSA Security Conference where he declared the password would die and two-factor authentication was the future.

 What Gates saw at Chevron was an infrastructure that includes Schlumberger's Identity Process Security Platform card-management system, an Active Directory infrastructure that is the authoritative source for user information, and a public-key infrastructure, including a certificate authority, built on Windows.

Employees obtain a SmartBadge from Chevron Business and Real Estate Services, a facilities business unit that embeds identity information onto the cards' two building-access chips.

End users then insert their SmartBadge into a card reader on their desktop or laptop and enter a one-time password to activate the card-management system.

The system asks a series of questions before binding the card to the end user and downloading to the card's third chip a set of digital certificates used for logon, encryption and digital signatures. Information in Chevron's IT systems guarantees the card was issued to the person activating it.

"We spent about two months engineering a [distribution] model that would work across both facilities and IT," Yee says.

After activation, the cards log users onto the network and their desktops.

The desktop logon is integrated with single sign-on software called v-Go from Passlogix. This makes the SmartBadge the only credential needed for end users to access network resources.