We've been using smart cards for about 5 years. We use the RSA card with RSA Passage on the desktop. Passage doesn't use certificates, it uses RSA encryption to just encrypt your login credentials. The Passage software replaces the login GINA which is what "forces" the smart card usage.
Our cards are also used for building access. So users don't forget too often. When they do, they have to go to security, get a loaner card, the card only gets them through some doors, it is not customized to them (negative reinforcement training to not forget ha ha ha). Then when they try to login, they have to set a card PIN and enter their credentials to initialize for the day. If someone travels and forgets their card, they have to get their spouse to bring it to the office and we will Fedex it, or the spouse can send overnight (but we don't pay). It happened a bit at first, but rarely now. We are looking at moving to certificates. Certificates work much better when also trying to do user based 802.1x. However, that easy self enrollment of a loaner card becomes more of an issue that I haven't resolved yet. On Mon, Mar 8, 2010 at 1:54 PM, Malcolm Reitz <malcolm.re...@live.com>wrote: > Anyone out there using smart cards for account logon? We’re considering > implementing some form of two-factor authentication; initially just for > highly-privileged accounts such as domain admins and I’m favoring > certificate-based smart cards. So, I’d love to hear any stories of real-life > smart card usage anyone has. Technically, the implementation seems > straightforward (I have done it in our lab), but I’m concerned about the > operational issues such as how to provision the cards in our > geographically-dispersed company, how often people forget/lose their cards > and what is done in such situations, and so forth. > > > > Thanks, > > -Malcolm > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~