CYBEREYE

Are mobile devices already making PIV cards obsolete?

In the current budget-constrained, always-on mobile environment, a premium is being put on consumer devices that enable employees to access enterprise resources. But what about the requirement that Personal Identity Verification cards be used to authenticate logical access? How will cards be accommodated on smart phones and other handheld devices?

Some industry observers think they won’t be; that the time of the PIV card has passed before it has been fully adopted.

“I think they will move away from the hardware requirements,” said Susan Zeleniak, group president of Verizon Federal. She predicted that authentication and authorization will be done via onboard biometric applications in handheld devices.


Related stories:

Agencies aren't making full use of smart PIV cards

PIV Cards are in the hands of most federal employees and contractors


“I think that hardware-based authentication tokens will be obsolete,” said Norm Laudermilch, chief operating officer of Verizon’s Terremark Federal Group.

Zeleniak and Laudermilch, speaking with reporters recently in Washington, said that budget cuts are driving agency procurement today and that the emphasis is on services rather than equipment and on commodities rather than government-specific hardware.

“Cost is a factor in every equation,” said Chris Felix, Verizon Wireless’s vice president for federal government sales. “They don’t want to build it, and they definitely don’t want to own it.”

This is not a terribly surprising conclusion, given current conditions. But a reliance on off-the-shelf products means that there will be no PIV card readers available for workers signing on to check e-mail or read a document while out of the office. Access and identity management might be standardized on a common set of credentials inside the enterprise, but there is no move to adopt that standard outside the office.

Homeland Security Presidential Directive 12, issued by then-President George W. Bush in 2004, established a common identification standard for federal employees and contractors to increase security and reduce opportunities for identify fraud. Requirements and technical specifications for the PIV card were quickly developed. Most employees and contractors now have the cards, and current government policy is that they be used both for physical and logical access.

Given the shortened time frame for development, distribution and implementation of the technology, it is not surprising that actual adoption has lagged somewhat.

“We basically have noncompliance now on the civilian side,” said Tony Busseri, CEO of Route1 Inc., a provider of remote authentication tools.

Busseri said he believes that authentication requirements eventually will push smart phones out of the federal portfolio for remote access, to be replaced by tablet computers, which could more easily accommodate standard card readers.

But the demand from workers today is to be able to access agency resources anywhere, anytime on any device, said Verizon’s Felix. There is very little push to add anything to the device used at work. “I want that commercial device; I want to look like everybody else,” Felix said of current demands.

This does not mean that PIV cards are going away. They are the standard now for government worker ID, and a push is under way to incorporate them into physical access systems that can take advantage of their biometric and cryptographic features automatically. And despite the growing popularity of handheld devices, it does not look that they are replacing the PCs on which government card readers are becoming standard, Zeleniak said.

“Indications are that people are still doing a lot with their laptops and desktops,” she said. The difference is that now they are connected all of the time. “We are seeing an increase in use of wireless access for business, but I don’t think we’re seeing a decrease in the use of desktops.”

In the end, the government enterprise is likely to remain a heterogeneous environment in which multiple tools for access and authentication are used. Let’s hope that the proper safeguards can be put into place to ensure the level of security that was envisioned in HSPD-12.

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, May 11, 2012 Jay

I see biometrics as a solution being much, much further out. A few other people have noted that technology exists to read PIV cards today. However, they're all pretty clunky. I think NFC is likely to be the most seamless solution as it becomes embedded in more phones. That will leverage all the existing infrastructure that exists to authenticate w. PIV cards. There's little no infrastructure in place to do biometrics based authentication. Who knows about policy there, but infrastructure wise it's immature.

Thu, Nov 17, 2011 Chuck

I have tested an app for the Mac called Airlock. It uses Bluetooth to know when your iPhone is within range of your Mac. It works very well, with enough settings to make security people comfortable. This is not meant as an ad, just as a sure example of what the author is talking about.

Wed, Nov 16, 2011 Steve Turner Baltimore

While I am sure that our friends at Verizon Federal would prefer to have the “emphasis … on services rather than equipment”, the fact is that a PIV solution is available today for secure, remote access for iPhone, iPad and Android users. Biometric Associates, LP (BAL) has created a smart card middleware solution for mobile devices, an effort partially funded by the US Army. The solution includes the smart card middleware for CAC and PIV cards as well as a Bluetooth CAC/PIV reader. The solution has been tested and certified by an NSA-approved, independent lab and is currently the only DoD approved solution for iOS and Android. BAL provides the smart card middleware on a royalty-free basis to application developers. Over 70 developers are currently developing CAC- or PIV-enabled applications, including Good Technologies, Thursby Software and Citrix. Pilots are underway at the Army, Navy, Marine Corps and Air Force with additional pilots scheduled at the VA, FAA, DHS and other Federal agencies.

Tue, Nov 15, 2011 DC

It is more likely that the smart devices could implement a fingerprint reader function than have to go to the expense of putting a radio transceiver to communicate with the PIV card. Having to insert (and keep inserted) a PIV card almost the size of many smart phones is unworkable. The leaves the PIV being used for human ID and automated physical (turnstile) access control. But near field communication (NFC) is coming to obviate needing a PIV--look at the use of smart phone screens for airline boarding pass substitution.

Tue, Nov 15, 2011 Pseu_An www

My dog can be identified (embedded chip/DNA) more reliably than I can.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above