Smart card risks and rewards
Despite all this, I'm a big believer in smart cards.
Smart cards are better authenticators than passwords. They're two-factor (which defeats some attacks), they're easier to work with than long and complex passwords, and the underlying representative hash is usually formed from a very long and complex password (which prevents cracking). In general, smart card users are more knowledgeable about computer security risks.
But don't give smart cards more protection than they've earned. As with any computer security mechanism, there are trade-offs. Smart cards aren't accepted by every application and can't be used on every computer or computing device. They're also expensive to implement and maintain. I haven't looked at the latest figures, but in the recent past I've read that every lost or broken smart card costs about $70 to $80 to replace (including support and physical expenses).
You can also blame smart cards for unique attacks. As an example, most smart cards are tied to a user's email address or perhaps logon name. An attacker can often change their email address, logon name, or universal principal name (UPN) in the underlying namespace (DNS, Active Directory, and so on) and "become" that person to the authenticating operating system.
If I were an insider with the appropriate permissions, I'd change my UPN to match an innocent person's UPN (you'd have to change that person's UPN temporarily). Then, when I logged on using my own smart card and PIN, the underlying namespace would see my smart card as successfully attesting to someone else's identity. I could then wreak havoc using that identity. The security logs would attribute all the ensuing events to the innocent user, and after I've done all my damage, I could change everything back. Nobody, including the innocent user, would suspect a thing. It could be the perfect crime.
To do the same using a traditional username and password, the villain (in most authentication systems) would have to reset the user's password in order to steal their identity. Then the original user would know something is up because their original password would no longer be recognized. In this particular (rare and extreme) scenario, a simple username and password actually has benefits over a smart card.
That's why I always tell enterprises using smart cards to strictly limit and audit who can change the identity attributes of smart card users. In some environments, a ton of people can do that, and each one is a risk.
What works better?
What's more effective at preventing attacks than two-factor authentication? Almost everything else. I always tell clients to start by analyzing how they were successfully compromised (usually either poor patching or social engineering), then implement solutions that directly address the attack vectors.
If you do your homework, you'll see that smart cards are good, but not great defenders of the enterprise. Nearly everything I've said here applies to most other forms of two-factor authentication. They have their pluses and minuses. If you're involved in a similar project, don't let anyone oversell the solution.
This story, "Don't put all your faith in smart cards," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.