Wave Systems (NASDAQ:WAVX) announced capabilities in its newest version of EMBASSY Remote Administration Server (ERAS) that empowers IT to roll out virtual smartcards for added protection against credential theft—without the provisioning challenges, costs and support associated with physical smartcards.
Microsoft is emphasizing the role of virtual smartcards in its recently released Windows 8 operating system, as one of the key pillars of modern access control. Wave is delivering modern access control today on Windows 7, enabling the use of both machine and user ID using hardware-protected certificates through the Trusted Platform Module (TPM).
Virtual smartcards are similar to physical smartcards, but instead of requiring the purchase of additional hardware, they utilize technology that users already own. They feature the same properties, including non-exportability (ensuring information on the card cannot be extracted from the device), isolated cryptography (cryptographic operations cannot be extracted) and anti-hammering (to prevent brute force attacks). The primary difference lies in the fact that private keys are protected using the TPM of the PC instead of smart card media. Private keys are protected not by the isolation of physical memory, but rather by the physical isolation and cryptographic capabilities of the TPM.
“There are compelling reasons why organizations should give serious thought to upgrading to virtual smartcards, rather than tokens or physical smartcards, to address their modern access control requirements,” said Steven Sprague, CEO for Wave Systems. “These older forms of user authentication come with significant acquisition and replacement costs, plus additional hardware such as card readers. Virtual smartcards can be enabled on any machine running Windows 7 today—without procurement expenses.”
Implementing virtual smartcards means employees never have to type domain credentials into their device, effectively providing two layers of protection against credential stealing attacks.
- Depending on policy, user name and password may never need to be used—so it’s virtually impossible to steal them.
- It’s much more difficult to target user name and password as a means of attack, as they would only be one authentication factor.
Making Device ID the Cornerstone of Enterprise Network Security
Virtual smartcards provide added security by identifying both the user and the device. The user’s possession of his or her PC serves as the equivalent of holding the smartcard, because the smartcard is “loaded by default.”
“The organization that employs virtual smartcards has taken the very important step of managing device identity—a fundamental shift in network security. It puts the focus on the identity of the device and out of the hands of the user. Tomorrow’s network starts with device ID.”