Mobile authentication for CAC, PIV cards could get easier
- By Kevin McCaney
- May 22, 2013
Military and civilian agencies have been approving and/or adopting smart phones by the bushel, but the surge into mobile computing can be complicated by matters of authentication. Many smart phones don’t yet work with the authentication agencies require — Personal Identity Verification cards for civilian agencies, Common Access Cards for Defense agencies.
It’s not that security is being ignored. The National Institute of Standards and Technology in July 2012 issued a draft of Special Publication 800-124, Revision 1, "Guidelines for Managing and Securing Mobile Devices in the Enterprise" that offers recommendations for selecting and managing mobile devices, whether provided by an agency or personally owned.
And the Defense Department, which recently OK’d Android, iPhone and BlackBerry models for military use, won’t actually use new devices until the Defense Information System Agency implements a mobile device management system later this year.
Manufacturers, meanwhile, are working to make their devices more ID-friendly. Although the BlackBerry 10.0 line of phones, recently approved by DOD, don’t work with CACs, subsequent versions, 10.1 and 10.2, are expected to, NextGov reported.
Agencies also could find authentication getting easier with baiBrowser, a Bluetooth-enabled app just released by Biometric Associates that lets users with iPhones and iPads — and, soon, Android devices — use CAC, PIV, PIV-I (Personal Identity Verification-Interoperable) or Commercial Identity Verification cards for authentication.
The baiBrowser has been tested with Army Knowledge Online sites, Air Force portals, the Defense Finance and Accounting Services’ myPay site and most Defense Outlook Web Access sites, company president Scott Johnson said in an announcement. The app supports both the baiMobile 3000MP Bluetooth Smart Card Reader, a sleeve that fits over the phone, and the forthcoming baiMobile 301MP attached reader.
The iOS version is available as a free download from the iTunes App Store (users have to buy the reader). The company said the Android version is being tested with U.S. agencies and is expected to be released soon via the Google Play Store.
Mobile device management is a growing issue for public-sector agencies, as smart phones, tablets and other portable devices make their way into enterprises, leading some industry experts to wonder if the days of smart-card IDs are numbered. Some say they think hardware authentication tokens such as CAC and PIV cards will give way to on-board biometric readers or other software options.
The real key is two-factor authentication — whether via hardware or software — so that users need more than just a password to verify their identities. There are a growing number of soft tokens available, each with their strengths and weaknesses. NetworkWorld just reviewed eight such services.
Whether, or when, agencies move away from smart ID cards is anybody’s guess. But even with CAC and PIV cards, their options for mobile authentication are expanding.
Kevin McCaney is a former editor of Defense Systems and GCN.