In-Depth

Microsoft Employees Get Carded

Microsoft is betting big on smart cards for its own employees while working to make the technology more palatable for the masses.

• By Karen Epper Hoffman
• 11/01/2005

Citing "the weakness of passwords," Gates heralded the coming wave of smart cards as a form of two-factor authentication that will make it more difficult for imposters to wedge their way into the private networks and personal files of legitimate citizens.

Gates should know: His own employees have been using smart cards to access the company network for nearly three years now. All 80,000 Microsoft employees and contractors all over the world use a smart card to log on to the network, digitally sign e-mail and gain access to corporate buildings. At some locations, employees can even use the cards to pay for food in the company cafeteria.

According to Peter McKiernan, senior product manager for the platform strategy group at Microsoft, who helped direct the company's smart card program, the card looks pretty much like any other corporate ID, with a picture of the employee (or contractor) and corporate logo emblazoned on the front. The cards carry a chip supporting applications that include network access and digitally signing e-mail, as well as a radio frequency ID component, which is used for physical building access applications and wireless payments.

The idea behind the smart card is to enable two-factor authentication of employees for most applications. The approach requires employees to meet at least two of three accepted factors, or proofs, of identity: what you know (such as a password or personal identification number); what you have (a card or a token); and what you are (a fingerprint or retina scan).

"Passwords, or actually any form of single-factor authentication, have very well-known and accepted limitations," McKiernan says. "Two-factor authentication has long been recognized as a more secure approach than passwords [alone]."

Playing the 'Smart' Card
With the need for dual methods of verifying employees' identity in mind, Microsoft started investigating the use of smart cards in the latter half of 2000, McKiernan says. The company conducted an internal proof-of-concept test in 2001, followed by a wider rollout of the cards to the entire organization beginning late that year and continuing into 2002.

Microsoft security experts considered other forms of secondary authentication, including biometrics and hardware such as USB tokens and key fobs. But for this application—an identifier that would have to be issued, upgraded and maintained regularly for tens of thousands of users on a worldwide scale—smart cards best fit the bill.

"We decided on smart cards ... because of the cumulative sum of their reliability, performance, cost, features, mobility benefits and integration with existing infrastructure," McKiernan says.

For starters, the size and shape of the smart card—it looks like a typical ID badge and can fit in a wallet, like a credit card or license—make it less apt to be lost or left behind. And the same card can perform multiple applications. The smart chip supports tasks that require the card to be inserted into a reader, such as logging on to the network and signing e-mail. The RFID chip is used for "contactless" applications such as building access, where a user can just wave the card past a wireless reader to identify himself to the system.

Smart cards also didn't create as many specialized maintenance issues as other hardware alternatives, McKiernan says. For example, batteries for a key fob device are hard to find in some of Microsoft's more far-flung foreign offices.

Cost, of course, is a key element. Early estimates, McKiernan says, pegged the cost of implementing a smart card authentication system—including all labor, cards, readers and other hardware and software—at about $55 to $75 per user. Since the initial implementation, those per-user costs have decreased, though McKiernan declined to say by how much. "For other applications in the wireless or financial space the answer might be different. [But] for corporate authentication, this [smart card] is where we see the most promise."

"A lot of companies will watch Microsoft to see how it secures its assets." Diane Harvey, Axalto

The cards themselves have evolved since they were first rolled out to employees. The first widely issued card held only a 32K chip, and used the Windows for Smart Cards operating system, a basic version of Windows tailored to the low-capacity smart card environment. Earlier this year, as new employees came on board and existing employees upgraded cards or changed status, the company began issuing more advanced Cryptoflex cards. The newer cards not only incorporate RFID, they have four times the capacity (128K) and employ a small-footprint version of Microsoft's .NET framework.

Supplied by Axalto, an Amsterdam-based supplier of microprocessor cards, the Cryptoflex cards can be more easily integrated with other computer-based applications, according to Diane Harvey, the director of business development for Axalto. Axalto worked with the developer of Microsoft's contact-less functions and also handled customizing the microprocessor chip on the Cryptoflex cards, which are being distributed to employees as the need arises.

McKiernan says the new cards offer better security while the .NET framework makes it easier to develop applications and program the cards. For example, developers can create .NET applications that work not just on smart cards, but other devices, perhaps handhelds or even PCs. This ultimately expands the range of possibilities for how the cards can be used.

Building in Simplicity
.NET is just part of the story in terms of how Microsoft is trying to make the process of implementing smart cards easier. It has been integrating support for smart cards into its OSes since the release of Windows 2000, according to Kim Cameron, Microsoft's chief architect of identity and access. Win2K and Windows XP users can log in and use certificate-enabled applications through the native smart card support built into those clients. Windows Server 2003 and Win2K Server both give organizations an integrated certificate authority that enables them to issue and manage digital certificates. Supported functions include smart card authentication, SSL transactions, encrypting files on the Windows desktops and servers, secure authentication to wireless networks using 802.1x, and other scenarios, Cameron adds.

When Windows Vista arrives, Cameron promises it will include "several enhancements to simplify the deployment and usability of smart cards." For example, he says, the base Cryptography Service Provider (CSP) in Vista will provide a common platform for smart card manufacturers and independent software vendors (ISVs) to build upon, ensuring a consistent and simplified deployment experience for the varying card modules required for each card manufacturer.

"This simplified environment will allow customers to choose smart cards based on the economic variables of the physical device," says Cameron, "rather than having to be concerned with the complexity of smart card deployment and the management of software."

Microsoft took yet another step toward reducing that complexity in September, when it acquired Alacris, which makes products that ease the provisioning, configuration and self-administration of smart cards. At the time, Microsoft said it hopes to plug the Alacris technology into the authentication and identity infrastructure of Active Directory and Microsoft Certificate Services.

Microsoft Smart Cards, Old and New Original 32KB smart card platform. The newer, .NET-based 128KB smart card now in use at Microsoft offers about 86KB of free space for certificates, keys, applications, files and data.

Domino Effect
But, McKiernan says, smart cards represent just one means of achieving two-factor authentication. "Smart card is just one version, the choice that's right for us," he says. "That's not to say that other avenues are not equally viable."

Doug Howard, vice president of service delivery to security consultancy Counterpane Internet Security Inc., says the fact that Microsoft has decided to up the ante with its use of smart cards seems a solid vote of confidence. "Any time you have a user base that you're moving to the next level," says Howard, "that's a good sign that the technology is working for them."

But how will it work for others? It's tough to determine if Microsoft's embrace of smart cards will have a ripple effect on other companies' security efforts. It would seem that in light of some recent high-profile security breaches, more companies would seek to improve their authentication techniques for internal staff as well as customers and other outside parties.

McKiernan says he often hears from chief information officers at large organizations "who know that they have to move to two-factor [authentication], but the things that keep them up are the cost and complexity. They want to make sure they can do it right."

Increasing compliance demands may be steering more companies toward adopting the technology. Sarbanes-Oxley and the Health Insurance Portability and Accountability Act make it increasingly incumbent upon financial institutions and health care providers, respectively, to account for internal and external communications and provide strong access control to potentially sensitive documents. Smart cards help make those chores more feasible.

Smart card authentication has already gained a footing in the United States with oil companies, according to Axalto's Harvey, largely because they're looking for the best means possible to protect the sensitive and valuable data that travels to their offices from remote drilling sites. Shell, Exxon and Mobil, she says, have all adopted smart cards for access and authentication—and more companies might jump on the smart card bandwagon if inspired by market leaders, she believes.

"A lot of companies will watch Microsoft to see what it does," Harvey says, "how it secures its assets."

Authentication Alternatives
Counterpane's Howard isn't so sure, noting his company works with nearly 20 percent of the Fortune 500 companies and he doesn't recall any of them bringing up Microsoft's efforts. While Microsoft's use of smart cards for security is "a good reference point," Howard doesn't think it will inspire many others to choose smart cards over other secondary means of authentication.

Howard says companies will make decisions based on the unique needs of their user bases and the information they're trying to secure. A major private bank might decide it's a worthy investment to issue smart cards or passcode-generating tokens to its high-net-worth customers—not only to better protect their financial information, but to give these prized customers a tangible form of security. Wachovia Corp., which has been a victim of high-profile phishing schemes, is exploring issuing customers hardware tokens that generate one-time passwords for authentication. E*Trade already offers RSA SecurID tokens as an option, providing them free to customers of its premium services and charging others $25.

If the user base is larger and more mainstream, companies will likely look for a way to provide strong authentication that costs less and doesn't require the same level of distribution and management. Bank of America Corp., under the gun after a rash of security problems, in July added a new element of authentication to its online banking system, dubbed SiteKey. At the time of set-up, the system requires users to select an image, write a phrase and create three challenge questions. When the customer logs on, he's presented with his own personally selected secret image, so he knows for sure that he's definitely at the bank's Web site and not a spoofed site. Meanwhile, the bank has a wider number of prompts to offer to determine if it is indeed dealing with a valid customer.

Diversinet Corp., a Toronto-based company that specializes in software-based mobile authentication systems, offers another solution: Its system generates one-time passwords to users through software resident on the mobile phone's SIM card. These so-called soft tokens are less expensive than hardware alternatives like smart cards and key fobs, says Wally Kowal, the company's vice president of marketing. The system plays on the fact that corporate users typically have their mobile phone with them at all times anyway. "Why ask someone to carry around a new piece of hardware," Kowal says, "when they already have their cell phone with them?"

The answer is still up in the air for most enterprises. Meanwhile, Microsoft is doing its best to leverage the potential of smart cards to play a larger role in enterprise security.

"I would not imagine Microsoft bundling cards with our software, but I could see this becoming a greater part of the standard offering from our OEM [original equipment manufacturer] and channel partners," McKiernan says. "What we will do is continue to make smart cards, and two-factor authentication in general, easier to use, deploy and manage. If there is a role for software to play, whether it's on the card, the client, or the server, then that is where we will play a role."