If you must, go for the client-certificates; less cost, less hassle.
Granted, client-certificates will be their own pain. If you have the
option, push back on the whole idea of "EXTRA" security; it sounds like
someone in upper management learned a new buzzword. If you want extra
security, *don't* use a web-based solution. You're already spending most
of your time dealing with Html limitations. If you have to add
certificates, you're going to have to add even more time figuring out
how to make this new security level maintainable (if you did smart
cards, you've got to track the cards, other hardware, etc.) ---ick.
Larry David wrote:
[snip][snip]> 2) A certain class of users, those with the highest access level, need
> to authenticated in a manner that is more sophisticated than a simple
> username/password.> I'm stumped on #2 though. I've done some research and have learned that
> there are at least two ways to add EXTRA security to web sites. I can a)
> require client certificates and/or b) require the use of a smart card. Can
> anyone point me in the right direction on either of these options? Does ISA
> need to be configured in a particular way to allow certificate and/or smart
> card information to pass through? When ISA "bridges" the connection from SSL
> to plain HTTP, will this information be lost in transit? Is my ASP.NET web
> site supposed to ask the user to "swipe your smart card now?" If so, since
> this action is taking place on the client side, how will my ASP.NET page
> know when the swipe has taken place? How is the data transmitted? I'm
> utterly confused.
> Mr. David