Because the security of public-key cryptography (including certificate and public-key authentication) relies heavily on the confidentiality of the private key, it is important to keep the private key secure. If the private key is stored for example on the local hard drive, it is very important that only the intended user has read access to the private key. If someone could obtain the private key, they could potentially mount a brute-force or a dictionary attack to discover the passphrase of the private key, and security would be void.

If the security of the machine on which public-key or certificate authentication is used cannot be guaranteed, or if a higher level of security is desired, the private key (and any public keys or certificates) can be stored on a smart card or another two-factor authentication token.

Storing the private key and public key or certificate on a smart card can also be convenient if a user uses many different machines to connect from. Storing a copy of the key pair on each machine is often not desirable and transporting the key pair on a floppy disk or other easily damaged or copied media may not be convenient or secure. A smart card could be used in this type of scenario to store the private key and certificate or the public key, and none of the secret key material would need to be stored on the client computers.

In SSH Tectia Client and Connector 5.x, the Connection Broker component can be used as a key provider for accessing keys and certificates from disk files and hardware cryptographic devices. It can also be used as an authentication agent to store passphrases for key pairs.