Are mobile devices already making PIV cards obsolete?
- By William Jackson
- Nov 14, 2011
In the current budget-constrained, always-on mobile environment, a premium is being put on consumer devices that enable employees to access enterprise resources. But what about the requirement that Personal Identity Verification cards be used to authenticate logical access? How will cards be accommodated on smart phones and other handheld devices?
Some industry observers think they won’t be; that the time of the PIV card has passed before it has been fully adopted.
“I think they will move away from the hardware requirements,” said Susan Zeleniak, group president of Verizon Federal. She predicted that authentication and authorization will be done via onboard biometric applications in handheld devices.
Agencies aren't making full use of smart PIV cards
PIV Cards are in the hands of most federal employees and contractors
“I think that hardware-based authentication tokens will be obsolete,” said Norm Laudermilch, chief operating officer of Verizon’s Terremark Federal Group.
Zeleniak and Laudermilch, speaking with reporters recently in Washington, said that budget cuts are driving agency procurement today and that the emphasis is on services rather than equipment and on commodities rather than government-specific hardware.
“Cost is a factor in every equation,” said Chris Felix, Verizon Wireless’s vice president for federal government sales. “They don’t want to build it, and they definitely don’t want to own it.”
This is not a terribly surprising conclusion, given current conditions. But a reliance on off-the-shelf products means that there will be no PIV card readers available for workers signing on to check e-mail or read a document while out of the office. Access and identity management might be standardized on a common set of credentials inside the enterprise, but there is no move to adopt that standard outside the office.
Homeland Security Presidential Directive 12, issued by then-President George W. Bush in 2004, established a common identification standard for federal employees and contractors to increase security and reduce opportunities for identify fraud. Requirements and technical specifications for the PIV card were quickly developed. Most employees and contractors now have the cards, and current government policy is that they be used both for physical and logical access.
Given the shortened time frame for development, distribution and implementation of the technology, it is not surprising that actual adoption has lagged somewhat.
“We basically have noncompliance now on the civilian side,” said Tony Busseri, CEO of Route1 Inc., a provider of remote authentication tools.
Busseri said he believes that authentication requirements eventually will push smart phones out of the federal portfolio for remote access, to be replaced by tablet computers, which could more easily accommodate standard card readers.
But the demand from workers today is to be able to access agency resources anywhere, anytime on any device, said Verizon’s Felix. There is very little push to add anything to the device used at work. “I want that commercial device; I want to look like everybody else,” Felix said of current demands.
This does not mean that PIV cards are going away. They are the standard now for government worker ID, and a push is under way to incorporate them into physical access systems that can take advantage of their biometric and cryptographic features automatically. And despite the growing popularity of handheld devices, it does not look that they are replacing the PCs on which government card readers are becoming standard, Zeleniak said.
“Indications are that people are still doing a lot with their laptops and desktops,” she said. The difference is that now they are connected all of the time. “We are seeing an increase in use of wireless access for business, but I don’t think we’re seeing a decrease in the use of desktops.”
In the end, the government enterprise is likely to remain a heterogeneous environment in which multiple tools for access and authentication are used. Let’s hope that the proper safeguards can be put into place to ensure the level of security that was envisioned in HSPD-12.
William Jackson is freelance writer and the author of the CyberEye blog.