What ARE Smart Cards?

Smart cards are a physical card, typically the size as a driver’s license or credit card, that has an embedded integrated chip.  The integrated chip might be a microprocessor with memory capacity or a simple memory circuit that processes data, allows the user to perform transactions and stores data.  Hence though it’s a pocket-sized device that’s easily transported in a wallet, a smart card can be a portable computer without a keyboard since some come with a display, a microprocessor, have memory, and typically apps. 

Smart cards are tamper-resistant by design and protection for in-memory information is secured through encryption.  In fact, it’s the cryptographic keys (a string of coded characters produced from an algorithm) that conceal and convert the data making it so only someone with the right key can decode and make it intelligible – that explains why smart cards a strong form of identity authentication.  This encryption is robust and can include random key generation, tamper proof and secure key storage, hashing or transforming a string of characters into another value, and digital signing. 

• Authentication with a smart card is achieved with physical possession of the card and the secrets held within it as a first factor, and knowledge of the Personal Identification Number or PIN that unlocks the card as a second factor.  Together, something you have (like a smart card) coupled with something you know (like a PIN) amounts to two-factor authentication (2FA).  Two-factor authentication is the simplest and most effective approach to verifying user identity and protecting against security threats that target passwords and accounts, such as brute-force attacks, phishing, credential exploitation and more.   

Most common types of smart cards are:

• Contact smart card – The most common type, popularly used in banking and requires physical contact with a smart card reader to be functional.
• Contactless smart card – The microprocessor on the card communicates with the card reader through Near Field Communication (NFC) technology or RFID induction technology.  The card is typically powered through an electromagnetic signal from the contactless smart card reader.
•  Hybrid smart card – These cards feature the functionality of both the contact and contactless cards.

What is a Smart Card Reader

Smart card readers devices used to enable two-way communication between the smart card and the host.  There are 2 basic types of smart card readers – those that make contact with the smart card and what are called contactless readers. While both are used to enable two-way communication, they tend to differ in applications of use.

Contact Smart Card Reader – Requires manual insertion of the smart card into the smart card reader and typically used in higher security environments.  Contact smart cards have 8 contact points on the card itself, each needing to engage with the reader’s 8 matching contact points – to activate the card electrically and establish communication (transfer data between the card and reader).  Contact smart card readers are often installed on doors  to ensure security and authenticate identity in State & Federal Government environments and or during financial transactions.

Contactless Smart Card Reader – As opposed to requiring manual insertion of the smart card, the user merely holds the smart card within proximity to the contactless smart card reader thereby triggering a short-range wireless connectivity standard to engage (such as radio-frequency identification – RFID or near-field communication. For this reason, contactless smart card readers offer speedy and convenient authentication and are popular at office buildings where employees commonly wear lanyards (cords worn around the neck) attaching smart cards for quick office entry.  Contactless smart card readers can be activated from a distance.

What Is Smart Card Authentication?

Prior to gaining entry to secured spaces, access to online resources and assets, organizations require validation of authentication of identity.  Smart Card Authentication verifies user identity when coupled in tandem with a smart card reader.  The microprocessor embedded in the smart card generates, stores, and operates cryptographic keys (a string of characters used within an algorithm for altering data so that it appears random).   Much like a physical key, the microprocessor locks or encrypts data making it so that only the right key can unlock or decrypt  it. 

Smart card authentication is a two-step login process where the card stores:

1. User’s public key credentials (information about the identity of its owner & used to verify digital signatures generated by the private key.  
2. User’s private key or personal identification number (PIN)  acting as the secret key to authenticate the user to the smart card. 

This is how smart card authentication achieves two-factor authentication or  2FA.   

How does smart card authentication work?

Two things are required to achieve smart card authentication: the smart card itself and a personal identification number (PIN) entered by the smart card user.  With contact smart cards, the card is inserted into the smart card reader and its embedded microprocessor physically engaged for data transmission. 

Contactless smart cards only require the card be in close proximity to the reader thereby allowing the embedded microprocessor to communicate credentialing through Near Field Communication (NFC), Radio Frequency ID (RFID), or another short-range wireless connectivity protocol like the Carrier Sensing Collision Detection (CSCD).   The card reader transmits data from the smart card back to the controlling terminal (server or workstation) for immediate processing.

Advantages of Smart Card Authentication

Security

Compared to magnetic stripe cards, smart cards provide enhanced security due to the embedded microprocessor enabling untethered “siloed” data manipulation (processing data directly without remote connections).  Further, stored data in a smart card is tamper resistant not being easily modified, retrieved or deleted.  Thus, it is highly unlikely that a person with malicious intent, even if they somehow secured possession of the card – could create a duplicate copy and breach security.  Even memory-only smart cards provide stronger security than traditional mag stripe cards because they can store more authentication and account data.  Smart cards are also generally safe against magnetic fields and electronic interference unlike traditional magnetic stripe cards.

Flexibility

Software applications and data on a smart card can be updated remotely through secure channels thereby negating the need to issue a new card.  As they are encrypted and have a unique ID, smart cards cannot be duplicated; users can access multiple services on a single card (eliminating the need to carry multiple cards).

Packaging

Since most are manufactured from plastic, they’re less expensive than typical digital tokens and other authentication platforms. Additionally, they easily comply with the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) packaging standards.

Processing power

Smart cards are essentially small computers and thus perform functions beyond simply storing data. For example, the microprocessor embedded in the smart card can track the number of wrong PIN login attempts and automatically lockout access for a specified period.

Privacy Protection Features of Smart Cards  

Smart cards offer a number of features that provide or enhance privacy protection:

• Authentication. Smart cards enable ways to authenticate people who seeking access to the card. These mechanisms within the smart card can be used to validate devices, users, or applications trying to use the data on the card’s microprocessor. These are privacy protecting features by ensuring that a banking application for example has been authenticated as having the proper access rights prior to accessing financial information or functions on the card.

• Secure data storage. Smart cards enable secure data storage on the card. The data stored on smart cards can only be accessed through the card’s operating system and by those with credentialed access. This feature is utilized by some systems to strengthen user privacy by storing personal data on an individual’s smart card instead of a central database.  This framework empowers the user with more informed knowledge and control of when their personal information is being accessed — and who is involved.  For example, there are job seekers who prefer to not have their professional profile or resume published publicly (such as on LinkedIn) yet want that information available to select parties.  

• Encryption. Smart cards enable vast encryption capabilities, including secure key storage, hashing, key generation, and digital signing. For instance, a smart-card environment can require a digital signature for emails, creating a means to validate an email authenticity. This ‘tamper proofs’ the email message while also ensuring the recipient of the email’s origination.  

• Strong device security. Duplicating or forging smart-card technology is extremely difficult, as the card is tampered resistant in design. Smart-card microprocessors offer a variety of software and hardware capabilities to detect and respond defensively to tampering efforts.

• Biometrics. Smart cards enable ways to securely store biometric templates such as fingerprints and perform biometric matching functions. These capabilities can be used to strengthen privacy in systems that use biometrics.   Storing fingerprint templates on smart cards as opposed to in a central database effectively increases security and privacy in a fingerprint credentialed single sign-on system.

• Personal device. A smart card is essentially a computer that’s as personal and portable to the user as their mobile phone – able to be leveraged to improve privacy.    For instance, a healthcare application of a smart card might store prescription information on the card thereby improving the privacy and accuracy of the patient prescriptions – as opposed to managing prescriptions on paper.

Types of smart cards

Smart cards are categorized based on its capabilities, how the card reads and writes data, and the type of technology or microprocessor embedded in the card. They include:

• Contact smart card:  the most common, once inserted into a smart card reader contact points on both the card and reader engage enabling processing, commands, data transmission.
• Contactless cards:  only close proximity is required to a card reader to  engage enabling processing, commands, data transmission.  Both the smart card and the smart card reader are engineered with antennae and communicate using a contactless link or radio frequencies.  
• Dual-interface cards:  engineered with both contact and contactless interfaces.  
• Hybrid smart cards: engineered with more than one technology with the different technologies serving different applications but linked to a single smart card.  For instance, an embedded microprocessor accessed through a contact reader used for physical access control to restricted areas coupled with an RFID microchip for contactless proximity connection used for SSO authentication.
• Memory smart cards: only designed with memory chips and limited to storing, reading and writing data, which can be modified or overwritten, but the card offers no programmability.  Memory smart cards can be read-only for applications of storing data such as a password, PIN, or public key. They can also be read-write and update user data. Memory smart cards are commonly engineered to be rechargeable or disposable, in situations for when the data contained can only be used once or for a limited period of time before being updated or discarded.
• Microprocessor smart cards: have a microprocessor engineered onto the chip, also supported with memory.  These cards are essentially portable computers with an operating system managing the data in the files and the memory allocation. Microprocessor smart cards can be used for multiple functions and usually allow for complete data manipulation in memory. 
• PKI smart card? PKI or  public key infrastructure, is the technology compliance standard behind digital certificates – that proves identity and grants certain allowances. Contained in smart card technology is a cryptographic module. This module helps generate and secure public key infrastructure (PKI) keys and certificates compliance with the US government’s standard for smart card authentication – which generally means the ability to create, store and apply asymmetric encryption keys (i.e. RSA and/or ECC). 
• PIV Card, CAC Card & CAC Authentication:   PIV cards (personal identity verification) and CAC cards (common access cards) are used by active service personnel or military, the Department of Defense civilian employees, or select contractors for identification and entry into buildings, controlled spaces, and online systems.   

Smart Cards for Enterprise ID

Organizations in all industries are trying to improve the process applied in identifying users seeking access to their online resources.  As the demand for both wired and wireless access to networks increases, so too does the occurrence of identity theft resulting in password-based user authentication identified as a significant security risk. Both government agencies and enterprises are migrating from simple passwords to stronger, two-factor authentication solutions that strengthen security, respond to regulatory and compliance standards, and lower support costs.

Smart cards can support and combine several ID technologies, public key infrastructure certificates, one-time password seed files, storing password files, and biometric image templates (fingerprints), as well as generating asymmetric key pairs. 

Their ease of integration with IT infrastructure is seen in how both Unix® and Microsoft® Windows® operating systems offer extensive smart-card-related support and functionality, through either commercial add-on software packages or built-in (out-of-the-box) support. Smart cards enable logical access initiatives to be efficiently achieved by needing to only issue a single identification card supporting logical access control, physical entry access, application access and data storage, along with other functions.  Organizations significantly lower cost when combining multiple authentication requirements on a single identification card, enhance end-user experience, and strengthen overall enterprise and agency security.

Smart cards are becoming the standard for securely controlling physical access to buildings and internal office spaces and can be used to: 

• easily authenticate a person’s identity 
• determine the appropriate level of access
• physically admit the cardholder to a facility

Two of the basic layers in the foundation of physical security, access control and identification are achieved through the proper use of either contact or contactless smart cards.

Multiple access applications can be supported on a single smart card, enabling users to access both physical and logical resources in a single credential. Smart cards enable access rights to be changed dynamically, driven by the time of day, perceived threat level, or chosen parameters. Multi-technology smart cards are flexible and can also support legacy access control technologies during a planned ID authentication migration while accommodating legacy systems may be required.

Smart Cards for Healthcare Organizations

Healthcare organizations globally are migrating to smart health cards to leverage a range of features and more efficiently manage applications. Smart health cards can strengthen the security and privacy of PHI or Protected Health Information, function as a secure carrier for medical records, lessen healthcare fraud, support future processes for medical records, enable speedy and secure access to emergency medical information, adhere to government compliance standards, and serve as the health organization’s platform to deliver yet to be identified applications as needed.

Smart cards offer several advantages over magnetic stripe cards for healthcare organizations where the security and PHI or Protected Health Information are critical requirements.

• Smart cards engineered with microprocessors encrypt, secure and protect the patient’s personal health information.
• Smart cards restrict access to stored data and information to everyone other than authorized parties. For instance, all or only specified portions of the patient’s personal information can be protected so that only specific doctors, medical staff, and hospitals can access it. The rules for controlling access to PHI or Protected Health Information are enforceable whether the smart card is engaged online to a network or not. 
• Smart cards support strong authentication (confirming identity when passwords alone are insufficient) for accessing personal health information. Patients and health care organizations can use smart health ID cards to achieve two-factor authentication (2FA) when accessing online network systems.  Additionally, smart cards can support biometrics (fingerprints) as a form of authentication to further protect access.
• Smart cards offer heightened security by supporting digital signatures, which can validate the integrity of the origin of all information on the card plus assure the information has not been fraudulently altered or tampered with since issuance. This helps reduce healthcare fraud.

The cryptography measures engineered in microprocessor based smart cards makes it extraordinarily difficult for unauthorized parties to duplicate the card or obtain any information on the card whatsoever.  The tamper-proof nature of smart cards curtails identity theft and medical fraud while helping healthcare organizations meet HIPAA security and privacy standards.   Not only can smart cards securely store healthcare information, but they also offer the flexibility to conveniently update that information.

• Patient healthcare data such as prescriptions can be stored and updated after issuance, enabling up-to-date health and medical profiles when a patient is in an emergency situation or  receiving care from multiple providers.
• Multiple unique patient identification numbers can be stored to the smart card, helping record exchange and coordination of care among multiple healthcare providers.

Smart cards can improve healthcare provider and insurer processes by supporting broad functionality.

• Accurately and quickly identifying patients, lessening medical identity theft and enhancing quality of care through organizational efficiency.
• Streamlining patient registration and  PHI or Protected Health Information access throughout the stages of care, reducing paperwork and errors.
• Supporting Audit logs and thereby meeting compliance with HIPAA’s Minimum Necessary Rule of access PHI for a specific job function purpose only.
• Enabling secure access to online resources and healthcare websites.
• Storing PHI or Protected Health Information and applications on the smart card, and enabling access offline via portable smart card readers.