Windows Smart Card Logon Using Feitian ePass2003 PKI Cards and Tokens

Nick Smith | 8 janvier 2021
Authentication PKI Cartes à puce

Windows logon using smart cards and tokens significantly improves the login security for domain user accounts. This post provides an overview of smart card logon and the hardware options available from Microcosm.

Using smart cards and security tokens for Windows domain logon is a highly secure authentication method.

What are Smart Cards?

Smart cards are tamper-resistant portable storage devices used to securely store digital identity information. Using smart cards can enhance the security of tasks such as user authentication, code signing and sending encrypted or digitally signed e-mails.

In this article we will concentrate on their use for enhancing the security of Windows domain logon.

Why Use Smart Cards for Logon?

Smart cards offer a more secure means of authentication than a traditional password logon. When you sign in to a Windows domain account using a smart card the operating system uses Kerberos v5 authentication with X.509v3 certificates.

Smart cards provide:

  • Tamper-resistant storage for protecting private keys and other forms of personal identity information.
  • Isolation of security-critical functions that facilitate authentication, digital signatures, and key exchange from other parts of the computer. These functions use computations that are performed on the smart card.
  • Portability of security credentials between computers at work, home and on the move.

Authentication using a smart card requires the user to enter the card PIN at authentication time. This PIN together with the physical card containing the users digital identity provides a form of two-factor authentication.

There are also USB security keys available that use smart card technology internally that can be used for Windows smart card logon and this saves the need for a separate card reader.

View our range of PKI authentication tokens

Smart Card Logon in Microsoft Windows

Smart cards can be used to easily sign in to Windows domain accounts. To log on to Windows using a smart card a user must:

  1. Present the smart card to the card reader, or attach the USB security token to the computer.
  2. Choose the Smart card option from the user list on the logon screen (see screenshot below). The identity of the user logging in is obtained automatically from the certificate presented by the smart card.
  3. Enter the PIN of the smart card or security token when prompted.

Using a smart card to log on to a Windows domain computer

Why choose Feitian ePass2003 cards and tokens?

Feitian have been manufacturing secure PKI tokens since the early 2000s and their cards/tokens are highly regarded in the industry.

Feitian ePass2003 cards and tokens can be integrated with Windows logon and other Microsoft tools like MS Office for tasks such as the digital signing of documents. The software installation package offers the choice of Cryptographic Service Provider (CSP). You can choose the vendor specific CSP or the option of a Smart Card Minidriver which allows the cards and tokens to be used via the Microsoft Base CSP.

A range of cards and tokens is available to suit varying requirements:

ePass2003 PKI token for secure Windows Smart Card logon using digital certificates

ePass2003 USB Token

  • FIPS 140-2 Level 3
  • Supports Microsoft CAPI and CNG
  • X.509 v3 Certificate Storage

View ePass2003 specification

Small form factor USB PKI token for Windows domain logon

Mini USB PKI Token

  • Small form factor
  • Supports Microsoft CAPI and CNG
  • X.509 v3 Certificate Storage

View Mini USB PKI Token specification

PKI Smart Card for Windows Logon and digital signing and encryption

PKI Smart Card

  • Credit card size (ID-1)
  • Contactless (NFC)
  • Supports Microsoft CAPI and CNG
  • X.509 v3 Certificate Storage

View PKI Smart Card specification