Without smart cards, a company uses one-factor authentication: users
authenticate by proving they know a secret that is shared with the
company Security Service, i.e., the user's password. Passwords are
known not to be very secure, as they can be lost, stolen, shared, or
guessed fairly easily.
By using smart cards to store each user's long-term company key, the
cards introduce a second authentication factor: users now must not only
prove they know a secret (the password used to gain access to the
card), but they must also prove they have physical possession of the
smart card (by using the password and successfully retrieving the
long-term key).
The use of two-factor authentication dramatically improves security. Cards limit vulnerability to sharing, since the card can be in the physical possession of only one individual at a time. They also effectively prevent vulnerability to guessing, since the long-term key stored on the card is a 56-bit random number rather than a password. Cards can be lost or stolen, but without the accompanying card-access password, they are not usable. Should the card be lost or stolen, the owner is highly motivated to report the loss promptly, as the owner will be unable to access the computer system without the card.