a smart access card issued to a user, the smart access card having an authentication credential comprising an authentication certificate and a card unique identifier (CUID), the authentication certificate having a copy of the CUID;

a desktop authentication module in a client computer, the desktop authentication module configured to prevent a user from accessing resources of the client computer;

a card reader interface providing communication between the smart access card and the desktop authentication module; and

an enrollment server for enrolling the smart access card into a server data store, the enrollment server receiving the authentication credential from the desktop authentication module obtained from the smart access card and performing a two factor authentication for the user, the two factor authentication including verifying that the CUID has been issued to the user and that the certificate stored on the smart access card has a valid signature.