A Guide to Smart Card Authentication With Google Workspace
What is PIV Smart Card Authentication?
Phishing remains a primary reason for data breaches in the K-12 environment, so it’s important for networks to adopt phishing-resistant multi-factor authentication. A good solution for robust MFA is a smart card.
A smart card is a general term for a physical security token that can be configured to authenticate to a network via a number of authentication methods. It’s common for smart cards to support Personal Identity Verification (PIV), which is a security standard detailed in NIST FIPS 201-2 that creates a framework for multi-factor authentication (MFA).
A PIV smart card can be used either as a primary factor of authentication or as one step of multifactor authentication (MFA). They can be configured to authenticate for Wi-Fi access, desktop login, VPN login, SSO, or really any application. A smart card’s security is enhanced further when enabled with an X.509 digital certificate
How Does A Smart Card Work?
Smart cards are basically used to provide a physical element to authentication. A “key” that you can store securely in physical form proves to be safer than passwords or credentials stored in a virtual space. A smart card requires you to perform a deliberate action to prove your identity making it a critical factor for MFA.
Types Of Smart Card
The term “smart card” could be pretty confusing as it can be used to describe a lot of different devices with varied forms and functionalities. However, some smart cards have been described here for a quick understanding.
Smart Card Chips
- Memory cards are mostly found in single-use products and can store small amounts of data. Not a robust option.
- Microprocessor: When you think of a smart card, you may think of a microprocessor, which is nothing but a tiny computer. However, many smart cards are crypto-processors embedded with cryptographic entities, for advanced authentication like MFA and digital certificates.
Smart Card Interface Types
1. Contact-based smart cards
Most of your credit, debit and SIM cards have information stored on their contact plate and require physical contact with a card reader. Upon insertion into a smart card reader, electricity is transferred to power up the smart card and sends data to the interface.
2. Contactless smart cards
A contactless smart card is exactly what it says – “contactless” – and you may have seen them at a supermarket or convenience store. A contactless card looks similar to a contact-based smart card and communicates via Near Field Contact (NFC) by conducting electricity from ambient energy generated through the communication channel.
Functions as a contact and a contactless smart card, however, both interfaces are connected to separate chips with individual components.
4. Dual Interface
Functions as a contact-based and contactless smart card, and have shared modules and storage. A modern debit or a credit card is a perfect example of a dual-interface smart card.
Smart cards like hardware security keys (Yubikeys) have a USB interface to bypass the need for a reader. They support a variety of common interfaces, such as micro-USB, USB-B, USB-C, Lightening Ports, and more.
For the purpose of this article, we are looking at security keys – using Yubikey as an example since SecureW2 is an official Yubikey Partner. Yubikeys are security keys with multiple factors of authentication included in one device. The standard model is NFC enabled and needs a two-factor process that requires you to insert it into a supported USB device AND touch the key to verify yourself.
As an administrator, you can enter user information and attributes into an X.509 certificate that could act as credentials for identity authentication. Certificates can be installed ona number of devices, but a security key is a popular option to store digital certificates for additional security and convenience.
Let’s examine the benefits of PIV smart card authentication over credentials, the process to set up sign-in with smart cards on a Chromebook, and how SecureW2 helps you with hassle-free solutions for smart card setup for RADIUS authentication.
Benefits of Certificate-based Smart Card Authentication for Google Workspace
Here are some benefits of using PIV smart card authentication for Google Workspace:
- Secure Credentials– Smart cards contain physically secured micro cryptoprocessors, hardware designed to cryptographically secure the private keys stored on the device. The alternative of storing keys in a software “vault” is far less secure.
- Tamper-resistant– Smart cards like Yubikeys are tamper-proof and it’s impossible to counterfeit or clone them. Part of the reason is that a smart card can also perform attestation, i.e. sign the certificate to verify its origin. Attestation is the proof of the origin of a certificate and that it is uncompromised.
- Using Google identity for authentication– A user identity can be securely transferred to a smart card for authentication via certificate, enabling it as another factor of authentication for MFA or removing the need to remember passwords.
- Phishing-resistant- Passwords are susceptible to phishing but a smart card is truly phishing resistant as users have to initiate authentication by physically touching the device.
How to Configure Smart Card Sign-in for Google Workspace
As a system administrator, you can enable users to sign in to managed devices in your organization via a smart card. Google support has enumerated the following steps to help users sign in with their security keys (Yubikeys). To support smart-card sign-in, you will require
- Chrome Enterprise for a managed device
- A SAML Identity provider (idP) to support smart cards.
- Smart card Connector app and smart card middleware app
Sign-in Setup using Smart Card
- Configure your SAML identity provider
Configure SAML identity providers like Google Workspace with the designated user accounts for smart card-based authentication.
- Configure SAML SSO in the Admin Console
Enable the domain-appropriate SAML SSO in the admin console.
- Force Install the login screen apps.
Force install the smart card connector app and the middleware app in the Login tab.
- Configure the login screen app
Now, configure the smart card app and allow the middleware app by adding the following configuration to the smart card Connector app:
- Auto-select certificates at the time of sign-in
To auto-select certificates, Google recommends the use of DriveLock middleware parameter filter_auth_cert to automatically filter authentication certificates where PIV cards are used. This does not impact other cards.
Using SecureW2 to extend Google identities to Smart Card authentication
Implementing smart card authentication is a breeze with SecureW2. Wondering how?
For a start, it is a daunting task to get cloud directories as Google or Azure integrated with your whole network and app ecosystem, particularly if you have any on-prem components. With SecureW2, we use your existing infrastructure and fill the gaps in your network architecture and allow a user to use their cloud identity for authentication. SecureW2s managed PKI software binds a certificate to a user’s smart card, which is unique and can’t be tampered with.
If you are looking at smart card authentication options for your managed devices, then SecureW2 has the right solutions for you. Click here to learn more about our pricing options for your organization.