An authentication system includes a smart access card issued to a user, a client computer, a desktop authentication module configured to prevent a user from accessing resources of the client computer prior to successful completion of a two factor authentication; a card reader interface providing communication between the smart access card and the desktop authentication module; and an enrollment server for enrolling the access card into a server data store. The smart access card has an authentication credential comprising an authentication certificate and a card unique identifier. The enrollment server is in communication with the desktop authentication module via a network connection for receiving the authentication credential from the smart access card and performing two factor authentication for a user, the two factor authentication using the authentication credential prior to the enrolling.