Improved smart-card administration is the goal of Microsoft's latest acquisition, Alacris. The private Canadian software vendor provides tools for managing digital certificates and smart cards, which provide a more secure means of user authentication than passwords alone. The Alacris tools can significantly lower the cost of deploying and managing smart cards when compared with the bare-bones tools built into Windows.

Smart cards are wallet-sized cards or USB fobs with a microprocessor and memory. When used for Windows authentication, a card stores a secret key and performs cryptographic operations needed to identify the user during Windows login, at which time the user supplies a numeric PIN to unlock the card. The key on the card is tied to a digital certificate associated with the user's Windows Active Directory account. Digital certificates are issued and revoked through a public key infrastructure (PKI), which also enables administrators to revoke certificates by including them in a document called a Certificate Revocation List (CRL). This effectively disables a lost or stolen card.

Alacris' most notable product is idNexus, a Web-based tool that helps IT departments and security officers issue and manage users' digital certificates and provision smart cards. It allows customers to define specific certificate and smart-card management processes (using a configurable workflow engine) that conform to their particular security policy requirements. For example, an organization can configure idNexus to enforce specific approval steps before a certificate and key can be issued. IdNexus also lowers the cost of operating a Windows-based smart card infrastructure by enabling users to self-administer certain common tasks, such as changing the PIN needed to unlock the card. IdNexus is available in two flavors: one for Windows Server's built-in PKI (tightly coupled with Active Directory and the Windows Certificate Services) and another to manage PKI products from Entrust.

Alacris also makes software that enables the Windows PKI to support the Online Certificate Status Protocol (OCSP), used by an authenticating computer to communicate with the certificate-issuing server in real time to validate that a certificate has not been revoked, thereby augmenting the Windows PKI's dependence on CRLs, which can be out of date if the authenticating computer cannot get back to the server publishing the CRL for the latest update.

Microsoft did not announce specifics on how it intends to offer the Alacris products, such as whether it will offer them as separate products or fold them into one or more editions of the upcoming Windows Longhorn Server (currently in beta and expected in the first half of 2007). The company also did not disclose whether it would continue to sell the idNexus product for Entrust. However, the acquisition signals that Microsoft is finally seeing sufficient customer interest in smart-card authentication to justify filling gaps in its PKI and smart-card technology.

Financial details of the acquisition were not disclosed.

Much more on the Windows PKI and support for smart cards can be found in "Windows Public Key Infrastructure Extends Security" on page 3 of the Dec. 2001 Update and "Smart Cards Provide Stronger Log-On Security" on page 12 of the Dec. 2001 Update.