How to implement a two factor authentication using smart cards and smart card readers via web

Question

First of all, please excuse my ignorance about this topic. (related)

What exactly is needed to implement a process like this:

1. Client visits login site (example.com/login).

2. To login, the client enters its client ID. Also, a random (?) code is displayed to the visitor:
   251 221 555.

3. The client picks up his smart card reader, puts his smart card into it and clicks on the "Login" button, enters the code 251 221 555

4. The client then enter his PIN code (in the smart card reader)
5. A token is then returned: 922 444 113
6. The client uses the returned token to login in the website.

I guess one needs:

• A smart card (which has a PIN code)
• A smart card reader (see picture 1, 2)

What I wonder is how to authenticate the returned token in a website, and also how to return a token in the smart card reader? What are the exact (or simplest) steps to implement a process like the one above?

Answer 1

The easiest implementation is to have a secret key stored in the smartcard, and trigger an encryption or MAC calculation over the input number. For this to work PIN entry should be before input number.

The commands would be

• VERIFY (with the PIN)
• INTERNAL AUTHENTICATE (with the input number)
• or PERFORM SECURITY OPERATION in mode Compute Cryptographic Checksum.

For more details you should have a detailed look into ISO 7816 part 4 (verify and internal auth.) and 7816 part 8 (perform security op.). This assumes a so-called native card (as opposed to a JavaCard).