Can you imagine PKI without physical cards? It turns out you can.
Of course, physical smart cards and USB-tokens still occupy the majority of the PKI market. They are traditional ‘carriers’ of users’ personal certificates and successful providers of authentication, encryption and digital signature at an office PC.
However, fast digitalization brings new challenges to the constantly developing economy. You may have employees who frequently go on business trips having only their smartphones or laptops. Naturally, they can’t bring along smart card readers and smart cards, but they still require digital certificates for work.
Today, the discussion around physical versus virtual smart cards goes far beyond remote work scenarios. Cloud-first strategies, hybrid infrastructures, and the growing use of SaaS applications require certificate-based authentication that works independently of a user’s device or physical location.
Employees increasingly access corporate resources from laptops, tablets, and virtual desktops, often switching devices throughout the day. In such environments, reliance on physical smart cards becomes an operational constraint rather than a security advantage.
Another important shift is the rapid growth of non-human identities. Certificates are now widely used not only by employees, but also by applications, services, virtual machines, and APIs.
These machine identities require the same level of protection and lifecycle management as user certificates, yet they cannot rely on physical carriers by design. This makes software-based and virtual certificate storage models a practical necessity in modern PKI architectures.
Modern card management systems offer various options:
- Using virtual smart cards on the basis of Trusted Platform Module (TPM) and Windows Hello for Business (WHfB);
- Using the client-server virtual smart card;
- Issuing certificates to the user’s local storage.
We’ll guide you through the available options.
Virtual smart cards (TPM\WHfB)
Trusted Platform Module (TPM) is a specialized chip on an endpoint device that stores encryption and signature keys specific to the host system for hardware authentication.
Windows Hello for Business replaces passwords with strong two-factor authentication on Windows powered devices. This authentication is tied to a device and uses a biometric or PIN.
- Protect private keys with the help of cryptographic functions of the trusted platform module inseparable from the device (computer).
- Tied to the device (user’s computers) and cannot be extracted.
- A company should invest in server infrastructure (WHfB) and users’ workstations (TPM).
Network-attached smart card Indeed AirKey
It is the software implementation of a smart card that lets a user perform the same operations as the hardware smart card does.
- No hardware components
- Execution of cryptographic operations at the server
- Remote delivery of the smart card to a user
Issuing certificates to the user’s local storage
One of the alternatives to hardware or virtual smart card can be to issue a certificate and to deploy it together with the private key on the user’s workstation.
This feature can be useful while a user works with virtual machines to which he/she connects through a thin client, mobile device or with the help of special software (for example, VPN client).
- Container with a certificate can be protected by a PIN-code;
- The certificate’s private key cannot be exported.
- No additional expenses for hardware or infrastructure are required.
As you can see, there are a number of scenarios where a virtual smart card can work better than its hardware counterpart.
Virtual smart cards are no longer a temporary workaround or a niche alternative. For many organizations, they represent a more flexible and scalable approach to certificate-based authentication in distributed IT environments. When combined with proper certificate lifecycle management, virtual smart cards help organizations maintain security, reduce operational overhead, and adapt PKI to modern access scenarios.
Axidian CertiFlow, a cutting-edge product for smart card management, can work in all these scenarios to increase the efficiency of your PKI.
Feel uncertain about the smart card options that can work better for your enterprise? Request the consultation by our leading PKI experts.
