
Ask HN: How secure is smartcard technology with securing laptops or any device? - at-fates-hands
I work at a large corporation who just spent a ton of money upgrading everybody&#x27;s laptop to new HP models that allow the use of smartcard technology.<p>I&#x27;m wondering how secure this method is of securing your laptop or any device that uses this technology.
======
Someone1234
Smartcards can be used in one of three ways:

\- Secure the physical device (i.e. if no valid smartcard is provided the
laptop won't boot, and the drive cannot be decrypted). This is rarely used as
it is a PITA to set up/manage, is vendor specific, and duplicates what Windows
provides anyway. This is what HP calls their "ProtectTools."

\- Windows authentication: Active Directory can be configured to force certain
devices (e.g. off-site laptops) to require a smartcard and to validate the
smartcard during login. This stops someone attempting to authenticate with AD
or login to the laptop without the smartcard. Combined with Bitlocker, it is
fairly effective.

\- VPN authentication: This is extremely common. In order to get onto the
corporate network you need a smartcard in addition to credentials. This means
you physically need the business's hardware to even attempt to break into the
VPN (even with stolen credentials).

Many businesses that deploy smartcards are doing #2 or #3, with #3 (VPN) being
by far the most common. Combined with bitlocker full drive encryption, and
policies that force a password on each wake, it is "good enough" security for
all but top-secret levels (and those shouldn't be off-site regardless).

So in answer to your question "secure enough." More secure than not having it.

------
signaler
"I'm wondering how secure this method is"

Well this depends on whether the firmware has been scrutinized and hardened
over time, similar to how Yubikeys just get better and better. FIDO and other
initiatives are more secure because they have more eyeballs on them

