Why does the EPO use smart cards and how secure are they?
Smart cards are credit card-sized plastic cards that contain a microprocessor and a small amount of memory.
The EPO decided very early on in the planning process for its online services that the certificates which would allow users to conduct secure transactions with us would be stored on smart cards. Unlike passwords, smart cards allow us to provide the more secure two-factor authentication, comprising something that is held (the card) and something that is known (the PIN.) Two-factor authentication means that PINs can be simpler and therefore easier to remember than with a password, since, without the card, the PIN is useless, and vice versa. Also, the simpler PINs are not susceptible to brute-force attacks because the smart card locks out after several unsuccessful attempts to enter the PIN.
In addition to being small and portable, smart cards afford a much higher level of secure storage for certificates than, say, if they are stored on a hard drive. They offer tamper-proof storage of the user's private keys and digital certificates, are highly resistant to unauthorised deletion or copying of the certificates and keys, and any attempt to tamper with them requires significant effort which would invariably result in physical damage to the cards themselves. Also, it is easier to spot the loss or theft of a card than of a certificate stored on a computer.