Smart Cards & Hardware Tokens
Status: Scaffold — content in progress
Hardware-based authentication uses a physical device to hold private key material that cannot be exported. It provides strong authentication resistant to credential theft.
Types
| Type | Standard | Use Case |
|---|---|---|
| PIV Smart Card | NIST SP 800-73 | US Government, enterprise |
| YubiKey (PIV mode) | PIV + FIDO2 + OTP | Enterprise MFA |
| YubiKey (FIDO2) | FIDO2 / WebAuthn | Web authentication |
| TPM (Trusted Platform Module) | TPM 2.0 | Device binding, key storage |
| HSM | PKCS#11 | Server-side key storage |
Smart Card Authentication Flow (Windows)
- User inserts card + enters PIN (PIN unlocks private key on card)
- Windows sends challenge to card
- Card signs challenge with private key (key never leaves card)
- Kerberos PKINIT: signature presented to DC → TGT issued
Attack Limitations
- Private key cannot be exported from hardware token
- PIN brute-force protection (lockout after N failures)
- Caveat: certificates can still be abused if the CA is compromised (Golden Ticket equivalent via PKINIT)
Cross-Links
| Topic | Link |
|---|---|
| PKI Overview | pki-overview |
| ADCS | adcs |