Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Benefits of Smart Card Authentication

October 20, 2017

  • Blog
  • Archive

Two factor authentication, such as that provided by smart cards, improves on basic passwords by ensuring that something a user has and something they know are presented before access to a system is granted; similar to taking cash from an ATM, where you must be in possession of your bank card and know the PIN. A user’s private key certificate information, which is stored on a smart card and used to uniquely identify the user, cannot be exported; the card will be automatically blocked after a number of unsuccessful PIN entries and cryptographic operations are carried out by a processor on the card itself, limiting the ability of malicious software on the PC to steal sensitive information.

Cost and an extra complication for end users are disadvantages when using physical smart cards, but they do provide a worthwhile layer of security. Passwords have long been acknowledged as a weak security mechanism that is prone to key loggers and users writing down their passwords on Post-it notes. And while smart cards don’t represent a security panacea, they are an important tool in the enterprise security arsenal.

The Windows Smart Card Infrastructure was enhanced in Vista to provide a better user experience and make it easier for card reader manufacturers to provide drivers. The support for smart card authentication in Privilege Guard 3.5 (Edit: now Defendpoint) comes just in time as Windows 8 includes a new feature called Secure sign-in that uses virtual smart cards (VSCs) stored on a device’s TPM (Trusted Platform Module) chip, alleviating the need for a physical card and card reader.

Notebooks and PCs can be stolen, but VSCs cannot be misplaced like their physical counterparts, and if a device is lost, the user will probably notice quite quickly, while physical smart cards can stay missing for much longer before the problem is reported to the helpdesk. With VSCs in Windows 8, it’s likely that TPM chips will gradually find their way into consumer grade hardware and not just found in enterprise-grade PCs.

Virtual smart card authentication in Windows 8

VSCs work with the same application-level APIs as physical smart cards and the TPM is used via a virtualized smart card reader, presented to Windows applications as if it were a physical reader. Users enroll for certificates in the usual way, and are then protected by the TPM chip in the user’s PC. No card reader or card is required. The user experience is exactly the same as with a physical card, except that the VSC is always inserted and the user just needs to enter their PIN. If a user needs to use more than one device, due to the non-exportability of the private keys, the user must apply for another VSC.

Privilege Guard 3.5 now provides support for smart card authentication via the standard Windows APIs. This allows organizations that already have smart cards deployed or are thinking about a future rollout, to integrate Privilege Guard 3.5 seamlessly in to the IT infrastructure and have users respond to custom UAC prompts with their smart cards just in the same way they would a standard prompt, providing an additional layer of protection and making it harder for unknown or malicious software to find its way onto corporate networks using elevated privileges.

Introducing Defendpoint

Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.

Russell Smith

IT Consultant & Security MVP

Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.

Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 25, 2021

Customer Tips & Tricks: Remote Support for Android

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.