listen to this article:
Smart Cards have been in use for decades, and they have been a reliable means of providing authentication in organizations for a long time. Normally, these cards are used as a form of two-factor authentication. The cards store a user’s cryptographic key and other sensitive data that can identify the user when connected to a smart card authentication system (something the user has). The user then provides a passcode (something they know) to verify this identity and complete the authentication process.
Smart Cards are considered a strong method of authentication as the cryptographic keys and other sensitive data stored on their memory are well protected, both physically and logically. However, they also have some drawbacks associated with all hardware token systems and others specific to the form of authentication.
This post explores the advantages and disadvantages of smart cards and helps determine whether your business should still rely on the technology for identity and transaction signing. But first, let’s explain what smart cards are and how they work.
What Is a Smart Card?
Smart cards are physical, electronic authentication devices that contain a smart chip (microprocessor) capable of storing and exchanging data with readers and other systems. These cards are usually the size of payment cards or a flash drive, and they are used to store personal information, cryptographic keys, digital certificates, and other sensitive data.
Types of Smart Cards
There are two main types of smart cards:
- Contact smart cards: These cards are inserted into or swiped on a smart card reader. The contact facilitates the transmission of data between the card and the reader.
- Contactless smart cards: These cards transmit data via radio frequency identification (RFID) or near-field communication (NFC) technolog When a card comes within the reader’s electromagnetic field, the chip in the card is powered on.
After the connection is initiated, the operating system within the smart card then prompts the user to enter a PIN. Successful verification then allows data transfer, and a transaction is carried out.
Advantages of Smart Card Technology
As a method of authentication and transaction signing, smart cards provide several benefits that cut across security and usability.
Modern smart cards are capable of full-on cryptography and are therefore more secure than passwords, RFID, or magnetic stripe cards. The cards store private keys and digital certificates in a non-volatile memory that can’t be easily deleted, modified, or retrieved. This data is also encrypted and secured with a unique ID, which means that it can’t be easily duplicated even if the card falls in the hands of a malicious individual.
Smart cards provide convenience and flexibility as they can be used to access multiple services. For example, the same card can be configured to provide physical building access, system and network authentication, and transaction signing.
Multiservice and Flexibility
Smart cards contain chips that make it possible to add, store and update information stored on a card. This can be done remotely without the need to issue a new card.
The Disadvantages of Smart Cards
Despite the several benefits that smart cards offer, they also have some limitations that have made some organizations start implementing more advanced forms of authentication technology.
Smart card authentication is expensive to build, deploy, customize, manage, and secure. The cards are more costly than proximity-based RFID cards and magnetic stripe cards, and the costs can significantly add up when you have to produce them for hundreds or thousands of employees.
Transaction signing tokens are also quite expensive to purchase. When you consider shipping, tracking, and the IT personnel required, the TCO becomes quite high.
Simple Power Analysis (SPA) and can be used to measure the power being consumed by a smart card system as it varies depending on the microprocessor instructions being carried out. The values taken from such an analysis can then be used to determine the operations taking place and the keys being used on a vulnerable smart card.
Although SPA can be easily prevented, Differential Power Analysis (DPA) is much more difficult to tackle. The side-channel attack uses statistical analysis and possesses far more superior signal processing and error correction properties. Attackers can also use the more advanced High-Order Differential Power Analysis (HO-DPA) to incorporate multiple data sources and different time offsets in the analysis.
Can be Lost
Smart cards are usually small in size and can be easily lost or even forgotten. They are also made of flimsy material that can be easily broken, especially if the user doesn’t work behind a desk. In such cases, a user won’t be able to authenticate into a system. This can be quite an inconvenience considering that these cards are normally used in multiple systems.
A particular smart card technology may not be compatible with existing security systems, products, and technology. This is especially true in large organizations where not all sites will have card readers from the same manufacture.
Apart from that, not all computers are compatible with smart cards, and in such a case, a software-based authentication system may be more appropriate.
Smart cards have their own operating that asks a user for the authentication passcode. If a user enters the wrong code three times, the operating system blocks the card. This is a good security measure as it deters fraud. However, it provides malicious intruders with an opportunity to sabotage a user or operation by blocking a card. Unblocking the card can be a lengthy process, or it may require the user to wait for a certain period, say an hour or even a day.
Social Engineering Attack
Since a smart card can be lost, forgotten, or broken, a temporary access procedure is necessary. This opens an avenue for a social engineering attack, where the attacker calls the administrator and impersonates a user to say that the card has been lost and gain access.
Should your Business Still Use Smart Cards?
Smart cards provide several benefits as a secure means of storing sensitive information and authenticating users. However, the technology also has many drawbacks that can affect user experience, prove costly to the organization, or open channels for attacks. On top of that, they are a massive challenge in administration and management.
Although the system has been considered reliable for many years, software-based technologies have come up, and they offer more functionality, flexibility, superior user experience, and better security.
However, most software-based authentication systems are vulnerable to attacks such as malware and cloning. This means that you need a system that can combine the security of hardware solutions with the user experience of software solutions.
How MPC Addresses the Drawback of Smart Cards
Multiparty Computation (MPC) is a cryptographic protocol that aims at preserving privacy while carrying out a computation between several distinct yet connected computing devices (or parties).
Unlike a smart card, MPC does not generate or store the key in any particular device. Rather, the key generation is split between multiple devices and then stored in parts known as shares. This approach eliminates the “trust” requirement as no one party has the whole key at any particular time. The same also means that even in the case of a physical or logical attack, the hacker will not be able to get the required key.
Organizations can secure authentication and transaction signing through the use of a cryptography-based authentication system that utilizes multiparty computation (MPC). When utilizing this identity-protection method, your organization can store one share of a key in a server, and the other share on an end-user device such as a mobile phone or a laptop. When a transaction is taking place, the MPC protocol will then take input from both the server and the endpoint to complete the operation.
To enhance security, MPC shares are refreshed after every operation without changing the key. This means that even when a share is compromised through an attack such as cloning, it will still be useless to the attacker as it will have already expired after re-randomization.
Such a system does away with the drawback of smart cards and other hardware solutions while at the same time enhancing security for the enterprise and its consumers. The organization can then carry out authentication, transaction signing, and code signing on any device without a single point of vulnerability.