What's New in Smart Cards
Published: February 29, 2012
Updated: July 10, 2014
Applies To: Windows 8, Windows RT, Windows Server 2012
This document describes new smart card−related features on the Windows Server 2012, Windows 8, and Windows RT operating systems.
Smart cards together with personal identification numbers (PINs) are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, a user must have the smart card and know the PIN to gain access to network resources. The two-factor requirement significantly reduces the likelihood of unauthorized access to an organization’s network. Smart cards provide particularly effective security control for:
Authentication for scenarios such as remote access
Data integrity for scenarios such as document signing
Data confidentiality for scenarios that require encryption
Their use in additional scenarios, such as secure access to high-value applications, is likely to grow as organizations deploy a new generation of secure applications.
The following changes have been made to smart card support in Windows Server 2012, Windows 8, and Windows RT:
Virtual smart cards
Changes to the smart card sign-in experience
Smart Card Service start and stop behavior
Smart card transactions
Smart card support on Windows RT
Smart card support in Windows 8 applications
Virtual smart cards emulate the functionality of traditional smart cards, but they use the Trusted Platform Module (TPM) chip available on many organizations’ computers rather than requiring the use of a separate physical smart card and reader. Virtual smart cards involve technical, functional, security, and cost differences with conventional smart cards.
To the end user, the virtual smart card is a smart card that is always available on the computer. If a user needs to use more than one computer, a new virtual smart card must be issued to the user for each computer. Also, a computer that is shared among multiple users can host multiple virtual smart cards, one for each user.
Conventional smart cards and TPM virtual smart cards offer comparable levels of security. TPM virtual smart cards can be deployed with no additional material cost, as long as employees have computers with built-in TPMs. For more information, see Understanding and Evaluating Virtual Smart Cards.
For end users, the sign-in experience on Windows Server 2012 and Windows 8 has improved detection of whether a smart card reader was installed and whether a smart card or a password was used to sign in or unlock the computer the last time. If a smart card was not installed previously, and the user selects the smart card sign-in icon, a message appears telling the user to connect a smart card. After a card is connected, the smart card PIN dialog box appears. If the user does not want to use the sign-in option that automatically appears (if their smart card is not readily available, for example), a second message allows the user to select from different sign-in options.
Smart card reader detection logic has been added so that the Smart Card Service runs only when appropriate. On Windows Server 2012 and Windows 8, the Smart Card Service (scardsvr) automatically starts when the user connects a smart card reader and automatically stops when a user removes a smart card reader and no other smart card reader is connected to the computer. On startup, the Smart Card Service automatically starts if a reader was previously connected to the computer but a reader is not currently connected to the system. If no smart card readers are connected to the computer, the service will automatically shut down one minute after the last API call into the Smart Card Service. If a reader was never previously connected to the computer, the service will not start automatically.
On Windows Server 2012, Windows 8, and Windows RT, if a transaction is held on the card for more than 5 seconds with no operations happening on the card, the card is reset. This is a change from the behavior in previous releases.
For more information about this behavior, see SCardBeginTransaction function.
Smart card support for Windows RT includes the following:
Smart card readers
Only smart card readers that connect over USB and support the USB Chip/Smart Card Interface Devices (CCID) specification are allowed on Windows RT. Such smart card readers must use the USB CCID specification smart card reader class driver that comes with Windows RT.
Only smart cards that support the Generic Identity Device Specification (GIDS) or the Personal Identity Verification (PIV) standard are supported on Windows RT. The class drivers for cards based upon these specifications are included within Windows.
Windows 8 supports a number of new types of desktop applications. Developers who create applications that need the security benefits of smart cards must address the following requirements; otherwise, these applications cannot automatically use smart cards to support their functionality.
To use a smart card, applications running in AppContainer must have the SharedUserCertificates capability in their application manifest. Without this capability, the application will not be permitted to use a smart card for authentication, signing, or encryption. For information about this capability and how to include it in the manifest, see Setting certificate store capabilities.
For Windows RT applications, smart card support is limited to SSL client authentication. For a sample application that demonstrates the use of smart cards for SSL client authentication, see Windows Store app for banking: code walkthrough.