• Smart cards and phishing resistance: what IT teams need

    Back to Glossary

    Key Takeaways

    • Smart cards remain one of only two authentication categories NIST and CISA recognize as phishing-resistant, but traditional deployments break down in hybrid environments due to reader hardware, per-endpoint middleware, and public key infrastructure (PKI) requirements.
    • The security model holds up. What fails is the deployment model: external readers create supply-chain risk, mobile devices lack reader hardware, and cloud applications often bypass PIV entirely.
    • PIV and FIDO2/WebAuthn are not competing technologies but complementary phishing-resistant paths that a multi-protocol hardware security key can consolidate onto a single device.
    • Organizations evaluating smart card modernization should assess three dimensions together: security and compliance requirements, user experience across endpoints, and total cost of ownership including readers, middleware, and PKI maintenance.

    Most attackers don’t break in. They log in. Certificate-based smart cards have been among the strongest defenses against credential-based attacks for over two decades, and the underlying security model still holds. What strains under modern conditions is everything around it: the readers, the drivers, the middleware, the per-endpoint provisioning that made sense when every employee sat at a managed workstation.

    If your organization invested in smart card infrastructure, that decision was sound. Personal Identity Verification (PIV) authentication remains one of only two categories that National Institute of Standards and Technology (NIST) and the Cybersecurity & Infrastructure Security Agency (CISA) recognize as phishing-resistant. The challenge now is whether the deployment model underneath can extend to mobile devices, cloud applications, and a workforce that no longer works from a single desk.

    What a smart card is and why it matters for identity security

    A smart card is a physical device with an embedded secure element that stores cryptographic credentials. Private keys never leave the hardware, and can only be utilized after verifying a user’s PIN on the smart card itself. Authentication happens through an asymmetric key validation that proves credential possession without exposing the underlying secret: credentials that cannot be phished, cloned, or intercepted.

    For over 20 years, certificate-based smart cards have been the authentication gold standard in high-security environments. The U.S. federal government built its identity infrastructure on this approach: PIV cards and Common Access Cards (CACs) serve as both identity credentials and authentication devices on a single physical form factor, combining something you have with something you know for genuine hardware-backed Multi-Factor Authentication (MFA).

    For IT and security teams, the question now is whether your deployment model can keep pace with a workforce that no longer sits at a managed desktop.

    How smart cards achieve phishing-resistant authentication

    Smart cards earn their phishing-resistant designation through the way they bind authentication to the requesting service. This provides secure access that does not depend on a user recognizing a fraudulent site.

    NIST SP 800-63B states that PIV cards and CACs, which use client-authenticated Transport Layer Security (TLS), provide phishing resistance through channel binding. In a PIV authentication flow, the smart card’s certificate is validated against the server’s TLS session. If an attacker sets up a look-alike site and attempts to intercept the authentication, the channel binding check fails. The smart card will not complete the handshake with an illegitimate server.

    This mechanism places smart cards in a category shared by only one other authentication approach. According to a memo released by the United States Office of Management and Budget, phishing-resistant MFA is defined as two authentication technologies: the NIST’s PIV/Smart Card and modern FIDO2/WebAuthn. Every other common MFA method, including SMS codes, TOTP, and push notifications, falls outside this designation.

    The distinction matters because phishing-resistant authentication protects not just accounts but users. A human-typeable code can be socially engineered out of even a security-conscious employee. A smart card performing channel-bound certificate authentication cannot be redirected this way. The user does not have a transferable secret to surrender. The smart card responds to a real-time challenge from the server, and the cryptographic exchange completes only when the server’s identity is verified.

    Where smart card deployments break down

    The strength of smart card authentication comes with a deployment footprint that many organizations underestimate. A traditional deployment requires external card readers at every endpoint, client and driver software on every machine, enterprise PKI deployment as a trust anchor, and in-person provisioning workflows for every new user.

    NIST FIPS 201 specifies that readers SHALL conform to the PC/SC Specification, meaning every workstation needs a compliant reader connected and functioning. Microsoft documentation states that an enterprise PKI is required as trust anchor for authentication, and that hybrid configurations require Active Directory to be federated with Microsoft Entra ID using AD FS. The FIDO Alliance notes the consequence directly: PKI is complex to implement and maintain.

    These dependencies were built for a world of managed desktops behind a corporate perimeter. Three realities have exposed the limits of that model.

    Most mobile devices have no reader hardware. The NCCoE states plainly that most mobile devices are not equipped with smart card readers. A user on a phone or tablet cannot begin the PIV authentication flow regardless of policy. The gap is hardware, not configuration.

    Many cloud and SaaS applications do not natively support PIV. When an organization adds a cloud service that does not support certificate-based authentication, the smart card cannot protect that access point. Users fall back to weaker methods, creating inconsistent security posture across the application portfolio.

    Reader procurement introduces supply-chain risk. Brian Krebs reported that many government employees, unable to obtain approved readers for remote work, turned to low-cost readers online. Some 43 different security tools detected those drivers as malicious. A deployment model built for security was pushing users toward a supply-chain vulnerability because the operational model could not keep up with remote work.

    PIV and FIDO2/WebAuthn as the two phishing-resistant authentication paths

    NIST and CISA do not frame PIV and FIDO2/WebAuthn as competing technologies. They frame them as the two recognized paths to phishing-resistant authentication, each with distinct deployment characteristics.

    CISA recommends that agencies plan to migrate to phishing-resistant, passwordless authentication via either (1) their existing investments in public key infrastructure (PKI) and Personal Identity Verification (PIV) or (2) by using the FIDO2/WebAuthn standard.

    The word “or” is important. It signals that organizations can choose either path, or pursue both, based on their infrastructure and requirements.

    DimensionPIV/Smart CardFIDO2/WebAuthn
    Phishing-resistance mechanismChannel binding via client-authenticated TLSOrigin binding: built into the specification, authenticator responds only to the registered domain
    Infrastructure requirementEnterprise PKI, AD federation, PC/SC-compliant readersIdentity provider or Relying Party with WebAuthn support
    Cloud and SaaS coverageLimited; many SaaS applications do not support certificate-based authBroad and growing; native web standard supported across platforms
    Mobile supportRequires reader hardware most devices lackUSB and NFC interfaces supported natively
    Federal recognitionNIST and CISA recognizedNIST and CISA recognized

    CISA identifies FIDO2/WebAuthn as the only widely available phishing-resistant authentication, reflecting its broader ecosystem support across web applications, cloud platforms, and consumer services. The table above shows the practical difference: FIDO2/WebAuthn covers the mobile and cloud terrain that PIV’s infrastructure requirements make difficult to reach, while PIV remains the established standard for on-premises and federally mandated environments.

    For organizations with existing PIV investments, the question is whether a single authenticator can serve both paths simultaneously: preserving PKI-based authentication for on-premises and legacy systems while extending phishing-resistant coverage to cloud and mobile environments through FIDO2/WebAuthn.

    How a multi-protocol hardware security key consolidates PIV and FIDO2

    Yubico co-created the FIDO2/WebAuthn standards alongside Google and other FIDO Alliance members and built support for both phishing-resistant paths into a single hardware security key. The YubiKey 5 Series supports PIV and FIDO2/WebAuthn on one device, removing the forced choice between legacy infrastructure and modern authentication. Instead of maintaining two separate authenticator strategies, organizations deploy one key that speaks both protocols.

    All YubiKey 5 Series keys provide smart card functionality based on the PIV standard. The same device that performs FIDO2/WebAuthn authentication for cloud applications also handles certificate-based PIV authentication for on-premises systems, VPN access, and workstation login. The YubiKey acts as both a smart card reader and a smart card. It requires no extra hardware. No external reader. No per-endpoint driver software. No separate device for each authentication protocol.

    The YubiKey 5 Series supports FIDO2/WebAuthn, FIDO U2F, PIV Smart Card, One-Time Password (OTP), OpenPGP, and more, covering legacy on-premises and modern cloud systems. A single key authenticates a user to Active Directory via PIV, to a cloud identity provider via FIDO2/WebAuthn, and to legacy systems via OTP, all without swapping devices or carrying additional peripherals.

    Mobile access is addressed as well. iOS natively supports PIV smart cards through Apple’s CryptoTokenKit framework. A YubiKey 5 Series connected via USB-C or Lightning provides PIV smart card authentication on an iPhone without additional hardware readers or software. For contactless use, a YubiKey 5 Series with NFC capability provides PIV authentication through the Yubico Authenticator app, which extends CryptoTokenKit support to NFC and eliminates the external reader hardware that the NCCoE identified as absent from most mobile platforms.

    For organizations looking to reduce friction in high-frequency authentication workflows along with biometric verification, the YubiKey Bio Series streamlines the login experience with on-device fingerprint verification, making authentication as fast as a touch and go. Fingerprints never leave the key’s secure element, and the biometric falls back to PIN in the case of repeated errors. This protects users from locking out their accounts, while providing a frictionless biometric authentication method that meets data privacy and biometric sovereignty regulations. The YubiKey Bio Series has two key options. YubiKey Bio Series – FIDO Edition and YubiKey Bio Series – Multi-protocol Edition. 

    • YubiKey Bio Series – FIDO Edition: With support for both biometric- and PIN-based login, this key leverages the full range of multi-factor authentication (MFA) capabilities outlined in the FIDO2 and WebAuthn standard specifications. 
    •  YubiKey Bio Series – Multi-protocol Edition: Offers all of the benefits of the FIDO Edition lineup along with additional capabilities enabled through its multi-protocol support. Protocols this key support are FIDO2, as well as PIV Smart Card. The YubiKey Bio Series – Multi-protocol Edition lineup is available exclusively via YubiKey as a Service, and included within the Compliance tier. 

    For organizations that need only FIDO2/WebAuthn and do not require PIV, OTP, or OpenPGP support, the Security Key Series provides a FIDO-only starting point at a lower cost.

    One distinction matters here: when a YubiKey is used for PIV authentication, it operates within the PKI trust model. When the same YubiKey is used for FIDO2/WebAuthn, it operates within the origin-binding model. Both are phishing-resistant. Both run on one device. Credentials are stored on a secure element and never leave the hardware, protecting against credential-based account takeovers.

    Your organization chooses which protocol to use based on what each application supports, not based on which hardware the user happens to be carrying. The goal is phishing-resistant users across every environment, not only phishing-resistant authentication at a subset of access points.

    For federal and regulated environments, the YubiKey 5 FIPS Series provides the same multi-protocol support with FIPS validation required for government and regulatory use cases.

    How to evaluate modernization of your smart card program

    If your organization already runs a smart card program, modernization is not a question of whether to abandon what works. The question is how far your current infrastructure can reach. The security model is still sound, but what needs evaluating is whether your deployment model covers cloud, mobile, and hybrid access points that have emerged since your program was built. Three dimensions determine where the gaps are and what filling them requires.

    Security and compliance

    Start with what your regulatory environment requires. Both PIV and FIDO2/WebAuthn meet the phishing-resistant MFA threshold established by NIST and CISA. If your organization operates under federal mandates that specify PIV, you need a device that supports PIV. If you are extending phishing-resistant authentication to cloud applications that do not support certificate-based authentication, you need FIDO2/WebAuthn.

    Regulated industries such as healthcare (HIPAA) and financial services often have specific compliance mandates that determine which authentication protocols are acceptable. The evaluation question is not which protocol is more secure. It is which protocols your applications and compliance frameworks require, and whether your current authenticator covers all of them.

    User experience

    Every dependency in the authentication flow is a potential point of friction. External readers, middleware installations, and driver updates all create opportunities for support tickets and user frustration. Consider the experience from your user’s perspective: carrying a separate reader, troubleshooting driver conflicts, and managing certificate renewals all reduce the likelihood of consistent adoption.

    Evaluate how many of your users work from managed desktops with readers versus laptops, tablets, or mobile devices without them. Consider how your current smart card program handles remote onboarding, device replacement, and cross-platform access. Each scenario tests whether your deployment model matches how your workforce actually operates.

    Total cost of ownership

    The cost of a smart card program extends far beyond the cards themselves. Reader procurement, endpoint software licensing, PKI maintenance, certificate lifecycle management, and help desk support for reader and driver issues all contribute to the total. A multi-protocol hardware security key that eliminates readers and simplifies endpoint requirements reduces these costs while expanding phishing-resistant authentication to environments your current program may not reach.

    This three-dimension framework applies whether you are evaluating a net-new deployment or modernizing an existing smart card program. The strongest outcomes come from organizations that assess all three dimensions together rather than optimizing for one at the expense of the others.

    Modernize your smart card deployment with the YubiKey 5 Series

    The YubiKey 5 Series delivers PIV smart card functionality and FIDO2/WebAuthn in a single hardware security key. No external readers and no per-endpoint middleware. Multi-protocol support covers on-premises, cloud, and hybrid environments with one device per user.

    For federal and regulated use cases, the YubiKey 5 FIPS Series provides the same capabilities with FIPS validation. 

    Explore the YubiKey 5 Series to see how a multi-protocol approach fits your environment, or talk to a Yubico specialist to plan your rollout. For organizations ready to accelerate their adoption of  phishing-resistant and passwordless authentication to secure digital identities, YubiKey as a Service enables simple and scalable global deployment of YubiKeys for your workforce, supply chain, and end customers.  

    You also get access to turnkey Enrollment and Delivery services. Enrollment services help IT onboard users with YubiKeys quickly, fast-tracking the organization to phishing-resistance. Delivery services help IT distribute keys effortlessly to end users across both residential and office locations around the world.