If you're reading this, chances are your organization has taken the plunge and decided to deploy smart cards to its employees. The decision may have been based upon the desire to improve Windows and/or enterprise single sign-on (SSO) authentication. Perhaps the organization wants to pursue physical and logical convergence -- merging IT application access with facilities access -- using the "Swiss Army Knife" of identity and access management: the smart card.
The most important choice is the smart card form factor. Smart cards come in two forms: credit card-sized (known as ISO 7816) or USB token. Despite the form factor, the smart card technology is usually identical. Both form factors share a common logical personalization process (that is, the configuration of the smart card for a specific user) and provide logical services, like authentication to Windows, enterprise SSO and Web servers. It's the form factor's physical differences that make them suitable for different uses.
The ISO 7816 form factor is the most commonly deployed smart card in the enterprise, not coincidentally because it supports identity badging, graphical personalization with both corporate and user information that enables visual identification of the user.
The ISO 7816 form factor also supports physical access via its contactless interface. By simply waving the smart card near a door reader -- featuring an electromagnetic field to provide both power and a data path to the smart card -- the door opens upon successful authentication.
The most common contactless building access system is based upon HID Corp.'s Prox (125 KHz) technology. The U. S. government has chosen a different contactless specification as part of its HSPD-12 initiative, but the HID Prox card will remain the most prevalent contactless specification for at least several years because of the long replacement cycle of door readers and cards. For the most part, USB token smart cards are not suitable for use with physical access systems, though at least one vendor offers a USB token smart card with HID Prox-based technology.
With all the advantages of the ISO 7816 form factor, why even consider the USB token form factor? The most notable reasons are simpler desktop configuration and potentially reduced cost. USB smart cards don't need a reader; they plug into a desktop's USB port. ISO 7816 cards require a smart card reader at the desktop.
One additional advantage of the USB smart card form factor is that it can be coupled with a traditional one-time password (OTP) device. OTPs have a liquid crystal display that highlights a unique numeric password. OTPs remain the default strong authentication mechanism within the enterprise today because, unlike smart cards, they don't require client software.
While the converged USB smart card-OTP device provides maximum application coverage, it sells for a premium over the standard USB smart card. It may be more cost-effective to restrict these devices to a user subset, such as road warriors that require access to enterprise resources from kiosks while on the road.
To summarize, the ISO 7816 and USB token smart card form factors are nearly identical from a technology perspective, and both provide logical authentication services. The ISO 7816 smart card is the better choice for physical access and/or identity badging. Conversely, the USB token format is more rugged and is a better fit in order to avoid deploying smart card readers to the desktop, or if there is a need to combine both OTP and smart card functionality.
About the author:
Mark Diodati, CPA, CISA, CISSP, MCP, CISM, has more than 16 years of experience in the development and deployment of information security technologies. He has served as vice president of worldwide IAM services for CA, as well as senior product manager for RSA Security's smart card, SSO, UNIX security, mobile PKI and file encryption products. He has had extensive experience implementing information security systems for the financial services industry since starting his career at Arthur Andersen & Co. He is a frequent speaker at information security conferences, a contributor to numerous industry publications, and has been referenced in a number of academic and industry research publications.
This was first published in May 2007