Multifactor authentication in Windows – Part 1: Smart Cards and USB Tokens

If you would like to read the next part in this article series please go to Multifactor authentication in Windows – Part 2: Preparing Devices on XP and Windows 2003

Up until now, passwords have often been the preferred/required authentication mechanism, when accessing sensitive systems and data. But the demands for higher security and convenience, without added complexity, make room for other authentication technologies. In this article series, we’ll take a look at various multifactor authentication technologies that can be used with Windows. In the first article we’ll start by taking a closer look at the basics of chip based authentication.

When passwords just won’t do

Back in 1956, George A. Miller wrote an excellent paper called “The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information”. It’s a paper which describes what limits we, as humans, have when we want to memorize pieces of information. One of the conclusions in the paper is that an average person is capable of memorizing seven (7) pieces of information at a time, plus/minus two (2). Other scientists have later tried to prove, that the average person can only memorize five (5) pieces of information at a time, again plus/minus two (2). Either, way, assuming this theory holds, it certainly challenges the advice concerning password length and complexity, which we often see listed in whitepapers and books or are told from auditors and security conscious people.

It is often said that complexity is one of the biggest threats to security. One of the areas where we see this proven is when users and administrators are required to obey a complex password policy. The creativity and workarounds I sometimes see from users and administrators when they have trouble memorizing their passwords never cease to surprise me. At the same time, this area is almost always on an organization’s help desk’s top-5 list. And when Gartner and Forrester predict that help desk calls related to forgotten password costs approximately $10 USD per call, then it is easy to do a cost-benefit analysis of an organization’s current password policy.

Passwords, as the only authentication mechanism is ok, as long as the length of the password is greater than 15 characters and includes at least one character that is not part of the English alphabet. Pass phrases are examples of long passwords that users can remember more easily. This will ensure that most of the rainbow-attacks, even 8-bit attacks will fail, due to the added complexity which “foreign” characters will add.

Since the days of Windows 2000, a password can be up to 127 characters long.

The reason however why passwords as the only authentication mechanism is insufficient is because users are bad at selecting and memorizing a good, secure password. Also, you often find that passwords aren’t protected adequately. Fortunately, there are other security solutions that will both enhance the security and also introduce the convenience by using a short easy-to-remember password.

Chip based authentication

One of these security solutions is chip based authentication, which is often referred to as two-factor authentication. Two-factor authentication uses a combination of the following items:

  1. Something you have, such as a smart card or USB token.
  2. Something you know, such as a personal identification number (PIN). The PIN enables the user to access the digital certificate stored on the smart card.

Figure 1 illustrates two different solutions, which basically are the same technology. Strictly speaking, it’s only the form factor and cost, which makes the difference, although each of the solutions may contain added features as we will soon explain.

An example of a Smart Card which is used for both remote authentication, Windows authentication, physical access and payment An example of a USB token with both chip based authentication and flash memory for storage of files and document etc.

Figure 1: Two examples on chip based authentication devices

Both smart cards and USB tokens have a built-in chip. The chip is essentially a 32-bit microprocessor and normally contains a 32KB or 64kb electrically erasable programmable read-only memory (EEPROM) random access memory (RAM) chip embedded on the smart card or USB token. There are also smart cards or USB tokens available today which can contain up to 256KB of RAM for secure data storage.

When we talk about storage in this article, we’re only referring to the storage embedded into the security chip and not the device itself.

This chip contains a small operating system and some memory for storing certificates, which is used for authentication. The OS on the chip differs from vendor to vendor, and therefore you have to ensure that you use a CSP (Cryptographic Service Provider) in Windows, which supports the OS on the chip. We will take a look at the CSP in the next article. A chip based solution has some advantages compared to other multifactor authentication solutions, since it can used to store certificates for authentication, identification and signing. As we mentioned before, everything is protected by a PIN, which enables the user to access the data stored on the chip. Because an organization often maintains and issues their own smart cards or USB tokens, they can also define what policy is associated with the solution. For example, whether the card be locked or erased after x number of attempts. Because you can combine these polices with the PIN, the length of the PIN can be much shorter and thus easer to remember, without compromising security. All of these parameters are stored on the smart card when it is issued. A chip based solution is also tamper resistant, so without the correct PIN, the data (certificates and personal information) stored on the chip is not accessible and thus not usable.

Smart cards or USB tokens?

As we mentioned before, one of the differences between a smart card and USB token is the form factor. Both solutions solve the basic need, with respect to two-factor authentication, but they each have their advantages and disadvantages. A smart card can be used for picture identification, since you can print a picture and a name on it. A USB token however, can include flash memory for storing documents and files. Both devices can be used for physical access control in their own way. A smart card can include a circuit chip, magnetic stripe, bar codes, and contactless capability where as an USB device may have the contactless added capability or biometrics support.

Other form factors exist, such as mobile phones, where the Subscriber Identity Module (SIM) card can serve the same purpose as a smart card or USB token.

A smart card requires a card reader, whereas a USB token can use the existing USB port on a computer and use that to emulate a smart card reader. Smart card readers today should either use interfaces such as PC Card, ExpressCard, USB or be built-in, which some notebook and keyboard vendors have done with some of their models. Smart card readers are considered standard Windows devices, independent of the chip OS and they have a security descriptor and PnP identifier. Both readers and USB tokens need a Windows device driver before they can be used and you should always ensure that you use the newest drivers, due to performance reasons during two-factor authentication.

It may have an influence on the initial costs, when choosing which chip solution to use, however other differences should also be considered, such as psychological factors associated with a chip based solution. A smart card and a credit card are basically the same, which we often see with the new chip-based debit cards most people have today. And a lot of companies use the smart card for both physical access at the office and payment for lunch, etc. This means that it has both a convenience and monetary value, and hence the user is more bound to protect and remember to bring their smart card with them all the time. It also fits well inside a wallet, which obviously can have an added security effect as well, depending on how you look at it.

Some issues to consider

When choosing a chip based authentication solution, there are some issues and recommendations which should be considered.

  1. Compatibility – Make sure that the chip OS is compatible with the CSP you want to use. As you will learn in the next article, the CSP is the middleware between the chip OS and Windows and also responsible for the security policy being applied to the chip.
  2. Management – If you have to implement smart cards or USB tokens for use with a lot of people, then make sure that you choose a chip OS which is compatible with the Card Management System (CMS) of your choice.
  3. Extensibility – Make sure that the chip OS can be used by all the required applications and authentication needs that you require. You may have future needs for adding additional certificates to the smart card or USB token, such as e-mail signing and encryption or even biometric data. For inspiration, check out the DoD Common Access Card (CAC) specifications, which are used to store a lot of information about the user (see link below). Just make sure that you consider privacy issues, when implementing information such as biometrics, etc. We will be looking at this later in this article series.
  4. Usability – Make sure that you choose and implement a chip based solution, which is both user-friendly and practical. One of the biggest challenges with multifactor authentication solutions are that people have a tendency to either forget or lose their smart card or USB device or forget the PIN, if it is not used very often.


In the next article we will show you how to prepare Windows to support multi authentication devices and give you some best practice advice along the way, and when preparing smart cards or USB tokens in your Windows XP and Windows Server 2003 environment.


If you would like to read the next part in this article series please go to Multifactor authentication in Windows – Part 2: Preparing Devices on XP and Windows 2003

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top