acrolinx

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md

@@ -1,6 +1,6 @@
 ---
-title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
+title: Understanding and Evaluating Virtual Smart Cards
-description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards.
+description: Learn how smart card technology can fit into your authentication design.
 ms.prod: windows-client
 ms.topic: conceptual
 ms.date: 02/22/2023
@@ -9,11 +9,11 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
-# Understanding and Evaluating Virtual Smart Cards
+# Understand and Evaluate Virtual Smart Cards
 
 [!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
 
-This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards.
+This article describes the virtual smart card technology and how it can fit into your authentication design.
 
 Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
 
@@ -70,7 +70,7 @@ However, there are several advantages provided by virtual smart cards to mitigat
 
 If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
 
-Additionally, the maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
+The maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
 
 **Comparison summary**
 
@@ -81,7 +81,7 @@ Additionally, the maintenance cost of virtual smart cards is less than that for
 | Guarantees non-exportability through the card manufacturer, which includes isolating private information from operating system access.                             | Guarantees non-exportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM.        |
 | Performs and isolates cryptographic operations within the built-in capabilities of the card.                | Performs and isolates cryptographic operations in the TPM of the user's computer or device.                                           |
 | Provides anti-hammering through the card. After a certain number of failed PIN entry attempts, the card blocks further access until administrative action is taken.         | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. |
-| Requires that users carry their smart card and smart card reader with them to access network resources.     | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without additional equipment.      |
+| Requires that users carry their smart card and smart card reader with them to access network resources.     | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without other equipment.      |
 | Enables credential portability by inserting the smart card into smart card readers that are attached to other computers.                                           | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates.  |
 | Enables multiple users to access network resources through the same computer by inserting their personal smart cards.      | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device.                                 |
 | Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt.                                 | Stores virtual smart card on the user's computer, which may be left unattended and allow a greater risk window for hammering attempts.         |
@@ -102,36 +102,24 @@ Password authentication places a great deal of responsibility on the user. Passw
 
 **One-time passwords**
 
-A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. However, assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session).
+A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. Assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session).
 
 **Smart cards**
 
 Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security:
 
--   **Non-exportability**: Information stored on the card, such as the user's private keys, can't be extracted from one device and used in another medium.
+- **Non-exportability**: Information stored on the card, such as the user's private keys, can't be extracted from one device and used in another medium
+- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer can't observe the transactions
+- **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken
 
--   **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer can't observe the transactions.
+Smart cards provide greatly enhanced security over passwords alone, because it's much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It's difficult for a thief to acquire the card and the PIN.
-
--   **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken.
-
-Smart cards provide greatly enhanced security over passwords alone, because it's much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It is extremely difficult for a thief to acquire the card and the PIN.
 
 Additional security is achieved by the singular nature of the card because only one copy of the card exists, only one individual can use the sign-in credentials, and users will quickly notice if the card has been lost or stolen. This greatly reduces the risk window of credential theft when compared to using a password alone.
 
-Unfortunately, this additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and they also can be easily misplaced or stolen.
+The additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and users can misplace or lose them.
 
 **Virtual smart cards**
 
-To address these issues, virtual smart cards emulate the functionality of traditional smart cards, but instead of requiring the purchase of additional hardware, they utilize technology that users already own and are more likely to have with them at all times. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. However, the virtual smart card platform developed by Microsoft is currently limited to the use of the Trusted Platform Module (TPM) chip, which is installed on most modern computers.
+Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices.
 
-Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards (non-exportability, isolated cryptography, and anti-hammering). They're also less expensive to implement and more convenient for users. Because many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
+Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards: non-exportability, isolated cryptography, and anti-hammering. Virtual smart cards are less expensive to implement and more convenient for users. Since many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
-
-## See also
-
--   [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
-
--   [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
-
--   [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
-
--   [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)