META Report: Smart Moves With Smart Cards

Summary: Stronger authentication will supplement simple password approaches (2002-04), but infrastructure limitations will impede smart card adoption until 2003, and biometrics will remain niche through 2005. Privacy regulation (e.g., EU and Australian laws, GLBA, HIPAA) will focus attention on encryption of information at the data, file, database, and transport levels in 2002. By 2004/05, regulations will extend to numerous industries, and the concurrent maturity and transparency of PKI components (such as embedded in NOS, directories, and file systems) by 2006 will accelerate widespread use of encryption. Fine-grained authorization will remain an application play through 2005, though coarse-grained authorization will become more centralized throughout 2002/03.

www.metagroup.com

Futures
In 2002, the use of smart cards as strong authentication mechanisms will gain momentum during pilots and limited enterprise deployments, expanding gradually during 2003/04 as card reader infrastructure becomes widely available for PCs and other points of interaction. Robust card management services will lag deployments, providing crude functionality during 2002/03 before improving significantly in 2004. Numerous smart card and biometric combinations will be attempted during development, with fingerprint and iris scanning biometrics dominating after 2004. While public key infrastructure services will enjoy a revival due to smart card use on the Internet (2002-04), B2B spaces and symmetric key cryptographic services (e.g., Kerberos) delivered via smart cards will account for more than 80% of enterprise smart card use, primarily as a result of network operating system (NOS)-based symmetric key authentication availability.

Situation

Enterprises intent on improving secure access to applications and other IT resources are seeking stronger forms of authentication than mere user IDs and passwords. Although several technology options exist, interest in the smart card as a mechanism for strong authentication has been rising. Invented in 1974, smart card deployments reached 500 million units in 2000; we project more than 1 billion units will exist by 2003. Smart card use is extensive for identification and verification services in European and Asian markets (primarily for SIM card use in the mobile phone market), with slower usage growth in the US. Interest in using smart cards for authenticating access to applications (particularly in the e-business environment) is on the rise, spurring intensive partnering and acquisition activity throughout the smart card manufacturing, reader, and application environments. Prices for smart card read/write units are dropping to less than $15 (with some giveaway programs already contemplated by major retail and banking services), and smart card units cost as little as $1 through promotions and volume purchases. Low-volume unit costs usually range from $5 to $20. Systems integration expertise with smart cards is also growing.

On the standards front, the maturity of the market has generated no less than three on-board operating systems, though Microsoft discontinued development of Windows for Smart Cards in early 2001, offering only software licenses to other companies. Recent deployments of JavaCard in volume have increased. At the application level, the biometric application programming interface has finally begun to appear in limited fashion as government mandates and dominant systems integrators dictate its use. Windows 2000/XP, Novell Modular Authentication Service, and Java provide integration support for smart card read/write systems.

Other Recent META Reports

What Are Web Services, Anyway?

Pocket PC 2002: An Evolutionary Advance

Offshore Outsourcing Fueled by IT Budget Pressures

Protecting Internet Assets

Position

With current deployment rates, it is apparent that smart card use as an authentication mechanism is gaining acceptance in several key market sectors. Even though multiple operating system environments exist and robust card management services for specific enterprise use do not, smart card and card reader manufacturers have minimized the impact of those issues through partnering, mergers, and acquisitions. Our research has revealed that enough technology and integration options exist for most common business requirements dealing with strong authentication to be answered. Furthermore, the concept of bundling additional functions onto the smart card – such as physical building access, multiple logon IDs/passwords, and digital signature capabilities – provides enterprises with opportunities for ROI.

Considerable obstacles still remain, however. Within the enterprise, the dominant NOSs – Microsoft Windows 2000 and Novell NetWare 5+ – must be widely available as client systems to leverage NOS-based authentication. Various smart card form factors (e.g., USB “token” smart cards, biometric-locked smart cards) are spurring various card reader/writer infrastructure options (e.g., keyboard readers, USB-attached readers, combination biometric/smart card scan readers). Infrastructure for reading smart cards must be widely deployed before uniform, strong authentication can be delivered. Card management services that provide smart card disbursement tracking, enrollment administration, smart card replacement services, troubleshooting, and maintenance of reader/writer hardware remain concerns.

Implications

Smart cards represent a possible solution to the architectural problem of secure, mobile identity. The best authentication systems are composed of the following 3 elements:

  • 1. Something you have (e.g., a private key stored on a smart card)
  • 2. Something you know (e.g., a PIN or password)
  • 3. Something you are (e.g., a fingerprint or iris scan)

Smart cards can now support numbers 1 and 2. Our research indicates that biometric developments will eventually (2003+) provide number 3 by using a smart-card-stored biometric to unlock the smart card to gain authentication and application access, though reader infrastructure availability will be a limiting factor. IT organizations should have a detailed plan for the levels of authentication business initiatives require, knowing how much is enough to deploy. The use of smart cards in the enterprise may begin as a targeted effort for specific, high-risk services before becoming ubiquitous.

One notable implication for enterprises using Microsoft Win2000/XP is the required configuration of a certificate authority (CA) and Windows 2000 certificate services for smart card use. The CA must run on Win2000 domain controllers with DNS (Domain Naming Service), configured properly to ensure enrolling station and CA communications. Although several options exist for configuring CA types, root authorities outside the enterprise may cause compatibility issues with smart card authentication. IT organizations using Win2000 should plan on deploying and managing certificate services if smart card use is envisioned.

Business Impact: Timely implementation of key security technology is becoming increasingly essential to protect business revenues and intellectual property.

Bottom Line: In 2002, the alignment of smart card manufacturers, readers, systems, and software will near a point where enterprises can deploy portable, secure identity and strong authentication. IT organizations requiring strong authentication services should identify alliances and partnerships within the security industry relevant to existing enterprise security platforms and begin testing options, targeting some deployments by 2003.