Virtual Smart Cards in Windows 8

Q: What exactly are Virtual Smart Cards (VSCs) that Microsoft supports in Windows 8? How are they different from traditional physical smart cards?

A: VSCs allow users who have a Windows 8 computer equipped with a Trusted Platform Module (TPM) chip that meets the TPM 1.2 specification to leverage the benefits of physical smart card logon without making an investment in smart card hardware and without the possibility of losing their card. Windows 8 VSCs are based on a software construct that emulates a smart card on the OS level. VSCs appear to Windows 8 the same way they would as physical smart cards, and they use the same application-level APIs. For a user, logging on with a VSC is as easy as logging on with a password; all he has to do is enter his PIN (there's no need to insert a physical card in a card reader or connect a USB token).

Like traditional physical smart cards, VSCs provide a two-factor authentication mechanism. Physical smart cards are physical objects and clearly provide a "something you have" authentication factor. With VSCs there is also always a hardware element involved: the TPM. Just like physical smart cards, VSCs are always used in conjunction with a "something you know" (e.g., a password or a PIN) authentication factor to complete the two-factor authentication.

VSCs are secure because even though the private keys the VSC holds are physically stored on the computer's hard drive, the keys are encrypted using a secret that is securely stored on the TPM, which is tamperproof. A direct consequence of using the TPM is that you cannot move a VSC to a different computer. This is because only a local machine's TPM that encrypted the keys is able to use them. That also means users cannot use the same VSC from multiple machines and attackers cannot remove the hard drive to get access to the VSC and its private keys. This non-exportability is also an important security characteristic of physical smart cards: The information stored on a physical card cannot be extracted to be used somewhere else.

Windows 8 and its applications see a VSC as being always inserted in a virtual card reader. This means that unlike with physical smart cards, administrators cannot set a policy to automatically log the user off when the card is removed. Like physical smart cards, VSCs will lock out a user who enters an incorrect PIN a specified number of times.

You can find more information on Windows 8 VSCs in the "Understanding and Evaluating Virtual Smart Cards" white paper.