Can you imagine PKI without physical cards?
It turns out you can.
Of course, physical smart cards and USB-tokens still occupy the majority of the PKI market. They are traditional ‘carriers’ of users’ personal certificates and successful providers of authentication, encryption and digital signature at an office PC.
However, fast digitalization brings new challenges to the constantly developing economy. You may have employees who frequently go on business trips having only their smartphones or laptops. Naturally, they can’t bring along smart card readers and smart cards, but they still require digital certificates for work.
The 2020 pandemic also set new trends. In the work from home reality, сompanies whose business processes and services were massively connected to Public Key Infrastructure faced an unexpected problem. To maintain internal work, employees should use smart cards. But it is neither cost-effective nor quick to distribute hardware USB tokens. A virtual smart card, on the contrary, perfectly fits into new cases.
Modern card management systems offer various options:
- Using virtual smart cards on the basis of Trusted Platform Module (TPM) and Windows Hello for Business (WHfB);
- Using the client-server virtual smart card;
- Issuing certificates to the user’s local storage.
We’ll guide you through the available options.
Virtual smart cards (TPM\WHfB)
Trusted Platform Module (TPM) is a specialized chip on an endpoint device that stores encryption and signature keys specific to the host system for hardware authentication.
Windows Hello for Business replaces passwords with strong two-factor authentication on Windows powered devices. This authentication is tied to a device and uses a biometric or PIN.
- Protect private keys with the help of cryptographic functions of the trusted platform module inseparable from the device (computer).
- Tied to the device (user’s computers) and cannot be extracted.
- A company should invest in server infrastructure (WHfB) and users’ workstations (TPM).
Network-attached smart card Indeed AirKey
It is the software implementation of a smart card that lets a user perform the same operations as the hardware smart card does.
- No hardware components
- Execution of cryptographic operations at the server
- Remote delivery of the smart card to a user
Issuing certificates to the user’s local storage
One of the alternatives to hardware or virtual smart card can be to issue a certificate and to deploy it together with the private key on the user’s workstation.
This feature can be useful while a user works with virtual machines to which he/she connects through a thin client, mobile device or with the help of special software (for example, VPN client).
- Container with a certificate can be protected by a PIN-code;
- The certificate’s private key cannot be exported.
- No additional expenses for hardware or infrastructure are required.
As you can see, there are a number of scenarios where a virtual smart card can work better than its hardware counterpart. Indeed Certificate Manager, a cutting-edge product for smart card management, can work in all these scenarios to increase the efficiency of your PKI.
Feel uncertain about the smart card options that can work better for your enterprise? Request the consultation by our leading PKI experts.