Two-factor authentication, especially in the form of smart cards, is the next logical step in improving computer security. But adopting two-factor authentication on most computers has been stalled by the lack of operating system support. Windows 7 makes using smart cards much simpler.
Two-factor authentication is commonly described as “something you have and something you know.” In order to gain access to resources, a user needs both.
One of the most common forms of two-factor authentication is banks’ ATM cards. To use the teller machine, you insert your ATM card and enter a personal identification number (PIN), which serves as a password. You need both the card and the PIN to make the transaction.
While smart cards for physical access have been around for years, and used on computers for nearly as long, they have suffered from several drawbacks that have kept them from being more widely implemented for authentication on computers.
A major barrier to adoption was that installing a smart card system on a computer was an involved process. To handle smart cards the system needed middleware to provide smart card services, requiring someone (your IT department or perhaps the hapless user) to install the middleware and activate the user’s smart card on that computer. This process (which applied to biometrics too) was sufficiently involved that it made two-factor authentication unattractive except in high-security applications. You could do it, and a lot of organizations did, but it was a hassle.
Windows 7’s major innovation in two-factor authentication is to add plug and play features that integrate both smart cards and biometric authentication seamlessly into computer usage.
The Middleware Muddle
Hardware support isn’t a problem unique to smart cards. Everything from printers to hard drives to monitors need to be connected to the computer with middleware. However, device support for such standard equipment isn’t nearly the problem that smart cards were – or at least they haven’t been since the early days of computing. That’s because most middleware to deal with these peripherals was integrated into the operating system. All the user needed was the device-specific code needed to hook the device to the services already present in the operating system.
The second innovation was plug-and-play. The operating system included drivers for common devices; or the device came with the drivers on CD and the system automatically loaded the right ones with an absolute minimum of configuration from the person doing the installation. These two innovations made getting a new peripheral up and running almost painless.
Almost. Unless you were trying to install an unusual peripheral like a smart card reader.
Enter The Minidriver
To deal with these problems, Microsoft introduced a smart card minidriver in Windows Vista. In essence, Microsoft provided the middleware as part of the operating system. Developers only had to write the minidriver to make their specific smart card work with the system.
Minidrivers relieved IT organizations from the hassle of installing and maintaining the middleware, which often required different middleware applications for every kind of smart card the organization used. This went a long way toward making smart cards easy to use and deploy. However, IT still had to install smart card minidrivers and vendors still had to provide the drivers with the card readers.
Windows 7 extends this concept by automatically supplying the minidrivers to make smart cards work with the computer. Windows 7 ships with some minidrivers and will automatically download drivers from Windows Update if the OS doesn’t have the driver for a particular smart card.
“This means that smart card minidrivers are elevated to the same status as a hard drive or a monitor,” says James McLaughlin, senior technical manager at Gemalto, a smart card vendor. “When you plug in the card the driver is automatically downloaded. This gives a nice experience for the user since they don’t have to worry about driver installs. If the driver is not already on the machine Windows 7 looks it up.”
In addition to providing computer access, the same smart card can be used to do other jobs requiring identification and authentication. For example, using Windows 7, smart card credentials can be used to sign documents and e-mail, log in to the Internet or corporate network, and access applications that use Cryptography Next Generation or CryptoAPI certificates to control access. Windows 7 permits a high degree of granularity so that different users can have different bundles of privileges controlled by their smart cards.
Windows 7 also supports combined PIN and smart card readers for additional security. With these devices, “The PIN is sent to the card, not through the software running on Windows,” McLaughlin explains. This is more secure because the reader essentially returns just a yes or no without exposing the PIN or the card information to the computer (and thus to any other application running on the PC).
Extending Smart Cards Beyond The Computer
Of course, logging into computers isn’t the only place smart cards are used. Increasingly, enterprise organizations are using smart cards for access to buildings and equipment. However, the process usually involved a different smart card for each application. That is starting to change.
In the wake of 9/11 the federal government instituted a standard covering identification verification called FIPS 201 (FIPS means “Federal Information Processing Standard.”). The standard mandates the way executive branch agencies of the federal government authenticate access to everything from buildings to personal computers.
“What the government is trying to do is to drive the use of one card to get into a building but use the same card to log into machines,” says Michael Yatsko, product manager for the PKI group at Verisign Inc., a maker of smart cards and public key encryption systems.
FIPS 201 has given traction to a standard access card not just for the government, but for other organizations as well.
“Because the government has mandated this, we’ve seen customers coming in and say, ‘We want to interoperate with the US government,’” Yatsko says. “So far, the interested customers tend to be people like system integrators and state and local government agencies.” But the advantages of a single access card are obvious and the concept is spreading rapidly.
Overall, Windows 7 represents a major step forward in integrating smart cards into everyday computer security, one that will encourage far broader adoption.
“I think it will make it easier for organizations to see their way to using smart cards,” says McLaughlin. “It improves their return on investment since they don’t have to pay for middleware [so] there’s less glue to make smart cards work.”
Want more like this? Sign up for the weekly IT Expert Voice newsletter so you don’t miss a thing!
A single access smart card is wonderfully useful. I’m happy to hear the concept is spreading. Georgia Tech uses such smart cards — a student can buy a coke from a vending machine, order textbooks online, and access personal dorms and parking spaces all with a single card. I know this because my son goes there. The smart card enabled security is easy for him to use and customized enough to bring me a lot of peace. What could be better than that?
Has anyone ever tried putting smartcard security into a secured USB stick? We have operating systems now that fit on a stick. Why not just place the smartcard security goodness into a stick that can be used on any PC with a USB slot?
The smartcard vendors wouldn’t like it, but it strikes me that this would work well for everyone else.
Steven
Steven, yes they have. Been around for a few years for sure, I was testing a solution in 2005.
http://www.google.com/search?rlz=1C1GGLS_enUS343US343&aq=0&oq=usb+token+smar&sourceid=chrome&ie=UTF-8&q=usb+token+smart+card
[...] new Biometrics.admx template contains policies to configure biometric devices, and a new DeviceRedirection.admx prevents loading of alternate drivers for USB [...]