Mobile Derived Credentials for Assured Identity for Federal Government

Mobile Derived Credentials for Assured Identity for Federal Government

The solution is in hand, literally. It’s the mobile phone.

Most U.S. Federal agencies rely on Personal Identity Verification (PIV) cards for staff authentication. The Department of Defense (DoD) uses the Common Access Card (CAC) for this purpose. The DoD has a bold vision for modernizing their authentication approach. However, the path from smart cards to next generation solutions has not been mapped. Furthermore, federal policy has not kept up with evolving technology.

The solution is in hand, literally. It’s the mobile phone.

Background

In June 2016, the DoD’s CIO Terry Havorsen made several speeches about potential changes to the department’s use of the DoD CAC which has been in use since 1999.

For experts in cyber security, replacing this card with an alternative system would be a challenge equivalent to U.S. President. Kennedy’s historic vision for space exploration. A huge base of people uses this technology for authentication on DoD networks and facilities. Without it, what's the alternative? Havorsen did not identify a specific alternative. Rather, Havorsen broadly indicated a desire for a multi-factor authentication solution that incorporates biometrics, personal contextual data or behavior-based techniques. The DoD realistically cannot phase out the more than 2.8 million CACs in use by the envisioned 2018 deadline. However, Havorsen’s ideas are timely as the CAC is not practical in constrained environments, such as theater of military operations. The CAC is also cumbersome to use with mobile devices, and does not enable secure interoperability with mission partners.

Also released in 2016 was an unclassified paper authored by Kim Rice, portfolio manager for DoD’s mobility program office in the Defense Information Systems Agency (DISA). In it, Rice focused the vision on DoD mobility. Rice’s position may be summarized as not about eliminating CAC as much as about enabling authentication from any location, using any device. Specifically, Rice called for enabling personnel to securely work in any location, on any device, and across any network.

Tehnology Solution

The proposed solution does not eliminate CAC, but instead builds upon CAC with a device that nearly all federal employees have – a mobile phone, in alignment with Rice’s approach to realizing Havorsen’s vision.

Currently, to obtain a CAC, much time and expense is invested in vetting individuals through an in-person registration and complex security background check process. The solution is to leverage that vetting by making the CAC the first-level credential for assured identity on a mobile device. If a person can prove CAC ownership, one can authenticate using a pin or biometric, as well as a second method of authentication that only the true card owner can confirm.

Modern devices have embedded universal integrated circuit cards, commonly known as SIM cards which allow for stored, encrypted data. Mobile phone companies have their own incentives (billing based on usage) to offer these features. Mobile authentication would leverage the technical capabilities built into in these commercial products. Depending on the level of assurance needed, there could be a non-embedded or embedded crypto token implemented via hardware or software.

Admittedly, there are inherent security challenges with mobile devices, such as:

  • Small devices are easy to lose
  • Passwords may not be enabled out of user convenience
  • Multiple channels of attack are possible -- unsecured Wi-Fi, malware, unauthorized jailbreak, out-of-date security updates, obvious passwords, malicious websites, etc.

However, there are several ways to mitigate these challenges, like recommendations in the U.S. Government Accountability Office’s Report to Congressional Committees on Information Security, “Better Implementation of Controls for Mobile Devices Should Be Encouraged.”

End Users

End users can mitigate these threats to better secure their mobile devices by:

  1. Maintaining physical control of the device
  2. Enabling user authentication
  3. Limiting the use of insecure communication channels. For example, if one is connected to a Wi-Fi at a coffee shop and sends critical communications, then a person sitting nearby could track all the activity, essentially eavesdropping.
  4. Downloading apps only from reputable sources
  5. Installing security software
  6. Promptly installing security updates
  7. Enabling the remote wipe of data

Agencies

On mobile devices issued by the government, there will be an MDM solution that ensures every device has the latest security patch and two-factor authentication, in addition to more controls. The MDM is always watching. Some things are impossible to undo, but others may be comprised if the user plays with the settings. The MDM ensures the mobile device is still configured securely.

Agencies can mitigate threats to better secure their employees’ mobile devices by:

  • Establishing and implementing a mobile device security program, including user training that frequently emphasizes user impact. The agency can implement strong technical controls, but if the user is cavalier, there will be vulnerabilities.
  • Implementing layered security, such as authentication to device, cryptographic protection of data and transactions, and user training and awareness of security risks.
  • Creating a mobile device management (MDM) solution that runs in the background and partitions a “sandbox” environment, as well as managing the security configuration on the device, implementing two-factor techniques, and encrypting stored data.

Policy Challenge

In addition, to a new technology solution, the government’s personal identification verification (PIV) credentials standards need an update. Specifically, NIST Special Publication 800-157 on Guidelines for Derived PIV Credentials (nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-157.pdf) does not allow the use of mobile derived credentials for authentication to a second platform in lieu of a PIV card.  Therefore, one cannot, in terms of regulatory policy, use the derived credential on a mobile device to logon to a laptop or desktop. In other words, the current government standards do not allow for mobile derived credentials for assured identity. This needs to be updated.

Conclusion

The DoD was initially thinking that in a technical environment it would not need to use the CAC card. But if the CAC is eliminated, another authentication solution is required. However, the biggest expense associated with the CAC is not the plastic card itself; it is the background checks and paperwork that have been done to vet the individual to whom the card was issued.

The solution is  leveraging derived credentials on mobile devices as one important component of an assured identity solution that does not involve CACs. The technology infrastructure is available, but the standards must be updated in accordance with the need, vision, and technological capabilities.

Featured

  • Freedom of Choice

    In today's security landscape, we are witnessing a fundamental transformation in how organizations manage digital evidence. Law enforcement agencies, campus security teams, and large facility operators face increasingly complex challenges with expanding video data, tightening budget constraints and inflexible systems that limit innovation. Read Now

  • Accelerating a Pathway

    There is a new trend touting the transformational qualities of AI’s ability to deliver actionable data and predictive analysis that in many instances, seems to be a bit of an overpromise. The reality is that very few solutions in the cyber-physical security (CPS) space live up to this high expectation with the one exception being the new generation of Physical Identity and Access Management (PIAM) software – herein recategorized as PIAM+. Read Now

  • Protecting Your Zones

    It is game day. You can feel the crowd’s energy. In the parking lot. At the gate. In the stadium. On the concourse. Fans are eager to party. Food and merchandise vendors ready themselves for the rush. Read Now

  • Street Smarts

    The ongoing acceptance of AI and advanced data analytics has allowed surveillance camera technology to shift from being a tactical tool to a strategic business solution. Combining traditional surveillance technology with AI-based data-driven insights can streamline transportation systems, enhance traffic management, improve situational awareness, optimize resource allocation and streamline emergency response procedures. Read Now

  • The Progress of Biometrics

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.