Several authentication scenarios use public key encryption methods (public key cryptography). For example, a user own smart card, which carries the corresponding public key and a private key. During user authentication process, system sends a random challenge. The user signs the challenge with his private key and sends the result. System verifies the signature with a public key. In this way, the system can verify the user holds the right private key without the need to accept his key. Instead storing the public key in a file on the remote system, smart card can present a challenge and signed public key certificate, signed by a third party. This is called Public Key Infrastructure (PKI) standard and is based on the ITU-T specifications.
Fig. 4.4 shows the entities involved in the authentication process. At each step of this process, a potential attacker can gain access to the authentication key.
The most fragile area is the input device and the user. If authentication is based on knowledge (passwords, PIN, etc.) the user has to remember the secret key. Remember password is difficult for many people, they often consciously share their password with someone or write it on paper in the office.
Security can not be solved only with hardware, because users are a part of authentication process [10].