Many companies now use smart cards for employee IDs and for accessing buildings and data centers. But how secure is the authentication used in this technology?
According to the National Institute of Standards and Technology (NIST) documentation available in our IT Downloads section, it often depends upon the authentication use cases that are employed, which are decided upon based on the sensitivity of the resources being accessed. From the download, A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification:
Assignment of authentication strength for each of the use cases is often based on: (a) the total number of three common orthogonal authentication factors – What You Know, What You Have and What You are, and (b) the entropy associated with each factor chosen.
The document was created to offer a new methodology for providing authentication that is “based on the strength of pair wise bindings between the five entities involved in smart card based authentications – the card (token), the token secret, the card holder, the card issuer, and the person identifier stored in the card.” Three observations have lead to the formation of this methodology:
- The form factor of the smart identity token introduces some threats of misuse.
- The common set of credentials objects provisioned to a smart card embody bindings to address those threats.
- The strength of an authentication use case should therefore be based on the number and type of binding verifications that are performed in the constituent authentication mechanisms.
This publication provides important authentication techniques for any IT organization or enterprise that is attempting to use smart cards as identification and to control resource access, which includes building access, server room access, employee IDs, etc.