Smart Card Authentication
A smart card is a secure microcontroller that is typically used for generating, storing and operating on cryptographic keys. Smart card authentication provides users with smart card devices for the purpose of authentication. Users connect their smart card to a host computer. Software on the host computer interacts with the keys material and other secrets stored on the smart card to authenticate the user.
In order for the smart card to operate, a user needs to unlock it with a user-PIN.
Smart cards are considered a very strong form of authentication because cryptographic keys and other secrets stored on the card are very well protected both physically and logically, and are therefore extremely hard to steal.
The added security provided by the smart card comes at the expense of the user experience, as smart cards need to be physically carried around by the user and inserted into the host computer every time they want to authenticate with it. Users are also limited to host devices that have the card interface software installed.
Smart cards are also expensive to administrate, as they require software installation on the host computer and physical distribution to the users.
Hard token refers to any authentication token that is implemented in hardware. Hard tokens can be smart cards, but also one-time passcode (OTP) hardware tokens, etc.
The use of hardware tokens for remote access VPN is common, as remote connections are perceived to carry a lot of risk. Most VPN solutions therefore include support for hardware based authentication, including the use of smart card authenticators.
Common Access Card (CAC) is a smart card-based identification card issued by the US government to Active Duty United States Defense personnel, United States Department of Defense (DoD) civilian employees, United States Coast Guard (USCG) civilian employees and eligible DoD and USCG contractor personnel. Access cards enable physical access to buildings and controlled spaces and access to defense computer networks and systems for. CAC requires support for specified encryption algorithms and encryption key sizes.
A PKI smart card is a smart card device that supports the requirements of PKI, which typically means the ability to generate, store and use asymmetric encryption keys (i.e. RSA and/or ECC).
In order to authenticate with a smart card, the user needs to be in physical possession of the card and the secrets it carries (something the user has – first factor), and has to know the PIN that unlocks the card (something the user knows – second factor), hence providing two factor authentication.
The secrets in a smart card are very difficult to extract which makes the card very hard to duplicate. The contents of a smart card are secured against both physical and logical attacks, and are often certified to ensure their robustness. As a result, duplicating or cloning a card is considered extremely difficult and expensive. That said, there are few reported cases where specific smart cards where hacked, and secrets extracted, which means those cards could be cloned.