Smart card authentication
A smart card is a hardware token that contains certificates that prove the identity of the person using a device. Using a smart card authentication
requires an organization to provide each user with a smart card, which
can be tied to an identification badge or other item, and to attach a
smart card reader to each computer within the environment.
When a smart card is used for sign-in, the user initiates a sign-in
request and inserts the smart card into the available reader. The card
is checked, and a prompt for a PIN appears. When the user enters the
PIN, Windows begins the authentication process just as it does when a
user name and password are used for authentication. Smart
cards provide two-factor authentication to Windows. That is, the user
must have two things to sign in successfully: the physical smart card
and the PIN associated with the smart card. If a user does not have
both these items, authentication will not succeed.
This type of authentication is similar to the type used to prove an identity at an ATM.
To access an account by using the machine, you must have the physical
access card to swipe in the machine and the PIN associated with the
card.
Smart cards are more secure than user names and passwords because
they provide an element that cannot be guessed. For example, if an
organization uses the naming convention of first initial, last name
(such as pfischer for Peter Fischer) when creating user names, other
employees, or anyone who knows this convention, can guess that Peter
Fischer’s user name is pfischer. Then that person can attempt to guess
his password.
If the organization uses a smart card configuration for user
authentication, Peter Fischer will have a card to swipe at sign-in and,
after swiping his card, he will then be asked for his PIN. If someone
other than Peter attempts to sign in as Peter, he or she will not be
able to sign in without Peter’s smart card and PIN.
Note
OTHER USES FOR SMART CARDS
In addition to providing Windows authentication, smart cards can be
used for other purposes such as unlocking doors and recording hours
worked by swiping into an attendance system.
Others in your organization are probably familiar with smart card
technology because an ATM machine uses similar technology. You might be
able to recommend the use of smart cards in other areas of the
organization such as the company cafeteria to purchase meals and other
items. Many do not treat their computer credentials with the same level
of security as their ATM card, so deploying a smart-card system is a
good idea because each employee has access to information the
organization requires to conduct its business.
With the use of the Internet and other technologies increasing every
day, implementing better security measures and educating an
organization about
the benefits of these measures can both help the IT organization
monitor security better and help users become more conscious of
security.
Important
VERIFY THAT YOU HAVE THE DEVICE DRIVER SOFTWARE
Before attempting to configure a smart card reader or any peripheral device, ensure that you have access to the correct driver software
for that device. Many Windows 7 device drivers will work with Windows
8; however, this might not be the case with Windows RT.
To configure a smart card for sign-in,
you must install a certificate on the smart card. The required
certificate is created by using the enrollment agent certificate
template. In addition, a certification authority needs the enrollment
agent and smart card sign in to be configured. This ensures that your certificate authority (CA) can provide certificates for smart cards.
To configure a smart card reader and prepare to sign in to Windows 8, complete the following steps:
-
Plug the smart card reader into your computer if you are using an external device.
-
If the device does not turn on, make sure the drivers for the device have been installed.
-
Insert a smart card into the reader.
To authenticate by using a smart card, insert the card into the
reader. The sign-in screen will change to work with the smart card
rather than with Ctrl+Alt+Delete. Windows will check any certificates
on the card and display them. Select the valid certificate (if more
than one choice appears) and enter the corresponding PIN to sign in.
Windows might not prompt you to choose a certificate if only one is
found on the card.
Note
USING CERTIFICATES TO SIGN IN
When you sign in to a computer running Windows by using a smart
card, you are actually using a specially designated certificate to
perform the authentication.
The PIN is similar to the private key, which tells the computer (or the
server if you are signing in to a domain) that you have the necessary
credentials and should be authenticated.
Other types of certificates can be used to prove the identity of a
user and provide access to websites, thus reducing the chances of
problems that might compromise information used on a website. Although
these certificate types might not be used directly for Windows sign-in,
they provide authentication to other services that you might encounter as a Windows user.
Another type of two-factor authentication is biometrics. This
technique involves a scanner of some type, typically for a fingerprint,
but possibly for a retina in extremely advanced cases.
When signing in to a computer by using biometrics, the user at the
computer initiates the sign-in process and then touches the scanner.
When reading the fingerprint of the individual, a one-time key is
generated for the sign-in session. This is passed to the authenticating
domain controller or the local computer and checked against the stored
information for the user account. When the credentials are verified,
the sign-in is completed, and that user’s desktop appears.
Advantages of the use of biometrics can include:
-
Unique access for each individual
-
Greater difficulty in faking or impersonating identity
-
Nothing to guess at sign-in
The implementation of this sign-in method comes with initial costs because, like smart cards, the computers within an environment need biometric
scanners to process sign-in attempts. In addition, an organization must
train employees so that they understand the process of using
biometrics. Although a fingerprint scanner is used to sign in, the
fingerprint itself is not stored with the user identification (ID) for
the sign-in process. A security code or token is generated for each
sign in. This code is passed as something similar to a password for
actual authentication.
Important
MANAGING FINGERPRINT-READING DEVICES
If your fingerprint reader is a USB device, plug it into your
computer and ensure that you have drivers installed before continuing.
You might also need to download fingerprint management software so
Windows can store the information the device collects. Windows will
alert you during configuration if you need to do this.
To configure biometric sign-ins, complete the following steps:
-
Select the Settings charm.
-
Select Control Panel.
-
In Control Panel, open Biometric Devices.
-
Find the device currently installed on your computer and select Change Biometric Settings.
-
Ensure that Biometrics is turned on and that Allow Users To Log On To Windows Using Their Fingerprints is selected.
-
Tap or click Cancel if these options were already set; tap or click Save Changes if you modified them.
-
In the Biometric Devices Control Panel applet, tap or click Use Your Fingerprint With Windows.
-
Tap or click Continue.