Deployments of smart cards are typically large, requiring customers to carefully manage enterprise costs for installation and configuration, maintenance, help desk, and training. The sum of these costs equates to the total cost of ownership (TCO). Given the size of smart card deployments, organizations have understandably identified reduction of the TCO as a key strategic goal (e.g., the U.S. Army). Among the items contributing to the TCO, one major source is help desk support.
In today's world of password/PIN-based access to computers, Web sites, and ATMs, help desks must service a growing number of requests for recovering forgotten passwords and PINs. As a result, Web sites that offer password-based access are including automated user-administered PIN and password recovery features. Their intent is to offset the high cost of live help desk support, which is typically a significant amount per user. So, for a large organization, the cost of help desk support can be very large.
With smart cards, the help desk cost potential is even higher. Not only do users forget their PIN, some try to remember their PIN by making multiple login attempts, which eventually locks their card or puts it into a locked state. Before the user is able to use the card again, it must then be taken to administrator who has a special key for unlocking the card. Thus, the help desks must service forgotten PIN requests and PIN Unlock requests. Because the user's PIN is not archived on a server, the help desk cannot do anything to prevent the user from locking their card.
The typical help desk process for servicing a PIN-locked card includes the following steps. The user physically carries the card to the help desk and requests that the PIN be unlocked. The help desk asks user for some basic identification information, and asks a security question, such as “What is your mother's maiden name?” If the user successfully answers the security question, the help desk unlocks the PIN, and gives the user a new PIN.
Not only are help desk costs higher for smart card PIN recovery than Web site password recovery, depending on smart card usage, the user may not be able to login to their computers and/or read protected e-mail messages until the card is returned.