Derived credentials for mobile on the horizon?
All government employees are familiar with using a smart card to access buildings, their desktop computers or just about anything that requires a so-called hard-token passport. That’s not such a good thing for employees who want to access government information from their mobile devices, however, which is where derived credentials come in.
For one thing, supplying all government users of mobile devices with a card reader is a very expensive proposition. Using that reader every time employees want to use their device to get into a government network or website is also cumbersome, to say the least, and potentially life-threatening when responders want network access during an emergency.
The dangers of using a single password for mobile access have been obvious for a while, so government has been on the lookout for a better and more convenient solution. Just over two years ago, the National Institute of Standards and Technology issued the first draft of guidelines for implementing derived personal identity verification (PIV) credentials on mobile devices.
Essentially, it’s a software version of the PIV credentials stored on the government smart cards. It’s directly related to NIST SP 800-57 guidelines on cryptographic key management, which is the basis for government security policies such as Homeland Security Presidential Directive 12 and those governing public-key infrastructures (PKIs).
So far, however, derived credentials have rarely been implemented in government. That might change with the recent announcement by MobileIron, an enterprise mobility management provider, and Entrust Datacard that they are partnering on a derived credential product that could be available for government mobile users by the end of the year.
It’s the result of a long process, said Sean Frazier, chief federal technical evangelist at MobileIron. NIST had to spend time developing the final SP 800-157 guidelines on derived credentials, and at the same time, Entrust and other organizations that control the government’s backend certificate management systems that enable the use of PIVs, had to amend and adapt those systems to allow for derived credentials.
MobileIron’s job was to develop the software that would manage the credentials on the device and make sure they could be seen by various applications.
“We didn’t start seeing pilots or testing for this until the NIST guidelines went into draft mode in 2014,” Frazier said, “and it’s taken the two years since then to wind our way through the final policy pronouncements and product development.”
The first users of the product will likely be civilian agencies, which have been looking for a solution that would also allow them to extend their current investments in hard-token PIV and smart cards instead of having to develop a different authentication system for mobile users.
It’s unclear so far whether the Defense Department would use this type of mobile soft token. DOD went its own way on PKI and Common Access Card implementation, and a few months ago, it said it would be eliminating CACs in favor of a new, multifactor authentication system. Meanwhile, last year DOD approved the use of derived credentials for some of its BlackBerry users.
Frazier said the new derived credential product could spell the end for legacy BlackBerry devices still in use at various civilian agencies. The devices had been pervasive in government because of the secure connectivity they brought with them. For that reason, agencies have been reluctant to get rid of them until they had other viable systems in place, Frazier said, adding that the derived credential could be a big incentive for making the switch.
“This allows [agencies] to provide the kind of seamless mobile experience they’ve always talked about wanting to deliver for their users,” he said. “It gives them that experience while tying the security to that existing hardware token, so they have a higher level of security and better usability.”
Posted by Brian Robinson on Aug 26, 2016 at 1:07 PM