Gartner Research

Road Map: Replacing Passwords with Smart Card Authentication

Published: 07 June 2011

ID: G00212293

Analyst(s): Mark Diodati

Summary

Many organizations wish to move to the desired state of password reduction because of security and usability concerns, but struggle due to insufficient knowledge about how to get there. In this road map document, Research Vice President Mark Diodati specifies the strong authenticator selection process. Additionally, he discusses the milestones, decisions, and processes associated with the deployment of smart cards. A companion document road maps the milestones, decisions, and processes associated with a one-time password (OTP) device deployment. Milestones include core implementation, identity management (IdM) integration, distribution and binding, application migration, and the creation of emergency access procedures.

Table Of Contents

Analysis

  • Current State
  • Desired State
    • Password Elimination vs. Reduction
  • Strong Authentication Choices
    • Smart Card
    • OTP
  • Authenticator Selection Process
  • Smart Card Main Process
  • Active Directory Integration
    • 1. Do Forest(s) Exist?
    • 2. Are Forest(s) Required?
    • 3. Configure and Verify Trust Between Domain(s)
    • 4. Configure and Verify Hierarchical Trust Among Domains in Each Forest
    • 5. Do Multiple Forests Exist?
    • 6. Configure and Verify Trust Between Forest(s)
    • 7. Configure Container Hierarchy for Group Policy
    • 8. Configure and Verify Group Policy Settings for Users and Workstations
    • 9. Integrate Group Policy Push into Self-Service and Administrative Consoles
    • 10. Hosted Domain(s) or Forest(s)?
    • 11. Implement IPsec Tunnel(s) Between Networks
  • PKI Implementation
    • 1. Using Strong Authentication as a Service?
    • 2. Install Hardware Security Module
    • 3. Install and Configure the CA
    • 4. Will E-Mails Be Signed and Relied upon by an External Entity?
    • 5. Sign CA Certificate with Public Root CA
    • 6. Is Organization Using Microsoft Certificate Services?
    • 7. Configure Trust Between Active Directory and the CA
    • 8. Create a Registration Authority for the Smart Card Management System
    • 9. Use Active Directory to Distribute CA Certificate(s)
    • 10. Configure CA
    • 11. Sign CA Certificate with Public Root CA
    • 12. Configure Trust Between On-Premises Active Directory and Hosted CA
  • CMS Deployment and IdM Integration
    • 1. Install the CMS
    • 2. Integrate the CMS with the HSM
    • 3. Change and Secure the Smart Card Administrative Key
    • 4. Tightly Couple PKI RA to CMS
    • 5. Configure CMS for Card Life Cycle Management
    • 6. Create and Test CMS Self-Service Interface for Emergency Access
    • 7. Does a Provisioning System Exist?
    • 8. Integrate the Provisioning System for Card Life Cycle Management
    • 9. Customize the Look and Feel of CMS Portal
    • 10. Will the Smart Card Be Used for PACS Authentication?
    • 11. Integrate the Provisioning System with PACS (or PACS IdM)
    • 12. Integrate the CMS with PACS (or PACS IdM)
  • Smart Card Selection
    • 1. Will the Federal Government Rely on the Smart Cards?
    • 2. Will the Card Be Used for PACS or Badging?
    • 3. USB-Style
    • 4. Card Style
    • 5. PIV-I Card
  • Workstation Software Deployment
    • 1. Is the Workstation Running Windows XP?
    • 2. Deploy Smart Cards with a Windows 7 Workstation Refresh
    • 3. Does the Smart Card Reader Leverage CCID?
    • 4. Install Device-Specific Driver
    • 5. .NET Card?
    • 6. PIV Card?
    • 7. Windows Vista or Windows 7?
    • 8. Install PIV Minidriver Software
    • 9. Is Emergency Access (Locked Card) Supported?
    • 10. Deploy CMS Workstation Software
    • 11. Advanced PKI Needs?
    • 12. Deploy a PKI Augmentation Product
  • Smart Card Distribution
    • 1. Is the Smart Card Graphically Personalized?
    • 2. Is the Smart Card Significantly Electronically Personalized?
    • 3. User Procures Unpersonalized Card
    • 4. User Identity-Proofs at Portal via OOB Authentication
    • 5. User Negotiates PIN
    • 6. Portal Installs Certificate(s) on Card
    • 7. Is a User On-Site Visit Rare?
    • 8. User Identity-Proofs in Person
    • 9. Administrator Personalizes Card
    • 10. Will the Smart Card Be Used for PACS Authentication?
    • 11. Administrator Binds Serial Number to User in PACS
    • 12. User Negotiates PIN
    • 13. Administrator Personalizes Card
    • 14. Administrator Mails Card to User
    • 15. User Identity-Proofs at Self-Service Portal via OOB Authentication
    • 16. User Negotiates PIN
    • 17. Self-Service Portal Activates Card
    • 18. Audit Event
    • 19. Report Event to Manager and User
  • Emergency Access (No Card)
    • 1. Is the Workstation Online?
    • 2. User Identity-Proofs to Portal via OOB
    • 3. Portal Receives Password and Displays It to User
    • 4. Portal Changes Logon Group Policy
    • 5. User Identity-Proofs to Help Desk
    • 6. Does Custom Software Exist?
    • 7. Custom Software Changes Local Group Policy
    • 8. Help Desk Retrieves Password and Articulates It to User
    • 9. User Authenticates to Windows via Password
    • 10. Reversion Process Resets Password and Group Policy
    • 11. Audit Emergency Access Event
    • 12. Event Is Reported to Manager and Employee
  • Emergency Access (Locked Card)
    • 1. Is the Workstation Online?
    • 2. Does CMS Software Exist?
    • 3. CMS Software Initiates Self-Service Portal Session
    • 4. Is the User On-Site at a Kiosk?
    • 5. User Authenticates to CMS Portal
    • 6. CMS Portal Unlocks the Smart Card
    • 7. Base CSP Detects Locked Card
    • 8. The Windows Logon Interface Provides a Challenge
    • 9. Help Desk Provides Response
    • 10. User Enters Response
    • 11. User Chooses New Smart Card PIN
    • 12. Audit Emergency Access Event
    • 13. Report Event to Manager
  • PACS Remediation and Integration
    • 1. Inventory Physical Locations
    • 2. Perform PACS Risk Assessment
    • 3. Are Physical Controls Sufficient to Address Risk?
    • 4. Remediate PACS
    • 5. Analyze Card Types Used in the PACS
    • 6. Perform Initial Reduction of Card Types
    • 7. One Card Type Remains?
    • 8. Select Hybrid for Deployment
    • 9. Two Card Types Remain?
    • 10. Select Tri-Interface Card and/or Multiprotocol Readers
    • 11. Prioritize Card Types
    • 12. Any Buildings Not Owned (Tenancy)?
    • 13. Manually Administer Tenant PACS Cards
    • 14. Do Multiple PACS Hosts Exist?
    • 15. Does the PACS Maintain User Information?
    • 16. Create PACS Integration with Authoritative Identity Source
    • 17. Implement PACS IdM Product
    • 18. Map Existing PACS Users
  • Emergency Access (PACS)
    • 1. Is the Card Permanently Lost?
    • 2. Distribution
    • 3. User Identity-Proofs On-Premises
    • 4. Is the User at a Main Location?
    • 5. Does the Location Have Temporary Cards?
    • 6. User Accesses Physical Resources via a Manual Process
    • 7. Does the PACS Require a PIV Card?
    • 8. The Organization Assigns a Temporary PACS Card
    • 9. Organization Binds Serial Number to Identity in PACS
    • 10. Assign Temporary PIV Card
    • 11. Bind PIV Card to PACS Identity
    • 12. Audit Emergency Access Event
    • 13. Report Event to User and Manager
    • 14. Organization Reverts to User Smart Card After Specified Time
  • Futures: Near Field Communication
  • Be Ready to Customize and Integrate
  • Evaluate DirectAccess
  • Consider a Privileged Account Management (PAM) Product
  • Skip Windows XP
  • Use OOB Identity Proofing
  • Leverage Microsoft Certificate Services
  • Deploy an HSM
  • Enforce Smart Card Authentication
  • Evaluate SAaaS
  • Reduce the Number of User Sign-Ons

Recommended Reading

Notes

©2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.