For the past few months, there has been a buzz in the mobility, security and PIV communities concerning the new NIST standard for PIV derived credentials. As with any new technology, having a basic understanding can drastically help you decide the best way to harness the technology to improve security and streamline business operations.
What is a PIV derived credential?
The PIV derived credential is a set of digital identity keys stored on a mobile device that make the mobile device behave like a PIV card so you can access secure resources using only your mobile device. In other words, with PIV derived credentials, you can use your mobile device like a PIV card.
What does derived mean?
The great thing about the new PIV derived credential specification is efficiency. Now, if you have a valid PIV card, you can use that PIV card to obtain a mobile credential without having to be fingerprinted again. Thus, derived means that you can generate a new credential based on your existing PIV card…or derive a new credential from an existing one.
Why do we need another PIV credential?
This question is best answered with more questions…. Have you ever tried to open an email on your phone, but could not because it was encrypted? Or have you ever tried to connect to your VPN from your tablet but could not because a PIV card was required. In other words, was your mobile device rendered useless because a PIV card was required for access?
The new PIV derived credential solves the problem of not being able to use your PIV card with your phone or other mobile device. With a PIV derived credential, the mobile device can behave like a PIV card so the mobile device can access PIV secured resources without having to actually insert the PIV card into the mobile device. Now a user can use their phone, tablet or other mobile device to access the VPN or read an encrypted email all from a mobile device without having to insert a PIV card.
No PIV Card…How can this work?
At the core of every secure transaction is a set of digital keys (known as a cryptographic key pair) that uniquely identify a user. The important thing to understand is that these keys cannot be stolen or guessed so they are much more secure than an old fashioned password.
With a PIV card, these digital keys are generated and stored within the microcomputer that is embedded within the card. However, with a PIV derived credential, the digital keys are generated and stored within the mobile device’s microcomputer. Now that the mobile device has the ability to securely generate and store keys like a PIV card, the mobile device can be used like a PIV card.
Is a PIV derived credential secure?
Yes! The reason this is secure is because of two major factors:
NIST Security Standards: The derived credential effort has been extensively researched by the most intelligent, security conscious and vendor neutral experts in the world. Additionally, the standard has been further refined through a cycle of feedback from industry experts. NIST guidance, outlines the detailed security controls and techniques that must be implemented in order to ensure security is embedded throughout the entire process. Furthermore, NIST security assessment techniques also ensure a third party assess the infrastructure to ensure the technologies and processes have been implemented properly and securely.
Close security loopholes (for good): What happens when someone cannot use their PIV card, but needs access to a secure system? The IT group must permit the use of passwords as an authentication mechanism thereby creating an enterprise security vulnerability. With PIV derived credentials, the IT group can finally enforce strong, multi-factor login for all applications because the end user now always has access to PIV secure identification technologies.
Can PIV derived credentials benefit my agency?
Yes – when properly implemented, PIV derived credentials will result in direct cost savings. In addition to the drastic security benefits, organizations can leverage derived credentials for significant cost savings in the two following areas: 1) lower operations costs, 2) lower hardware costs. Here’s how:
Lower operations costs: Since the digital keys are stored securely within the user’s mobile device, the PIV card is no longer required. Instead, the user simply opens their mobile device, enters a security PIN and then they are able to access the secured resource without the cumbersome actions of plugging in a reader, inserting the card and then entering the PIN. This authentication streamlining allows organizations to drastically lower costs associated with training, maintenance and troubleshooting typically associated with the PIV card.
Lower hardware costs: Now that the mobile device can securely store digital keys and the PIV card is not required, smart card readers are not needed. Thus, agencies can save money by using the mobile device as a PIV credential instead of purchasing expensive PIV card readers for every mobile device within their organization.
What is required to get a PIV derived credential?
| Component | Description |
|---|---|
| Valid PIV card | One of the most important elements of the PIV derived credential process is to leverage the user’s current identity as a means to automate the enrollment process. In other words, the end user can use their PIV card to create a request and they do not need to go through another background check. |
| Mobile device (iPhone, iPad, Android, Windows Tablet) | As part of the process, the end user will enroll their device to make sure that the derived credential is delivered to the correct device. The mobile device will then be used to generate and store the secure digital keys. |
| Derived credential management platform | This system will manage the request, device enrollment, and the approvals for the delivery of the derived credentials to the mobile device. |
| Certificate Authority | This element signs the public key and provides the digital certificate for the mobile device. |
What is the process to obtain a PIV derived credential?
There are three major processes required for the secure registration and delivery of a derived credential.
Request a PIV derived: This process entails a user creating a request with their PIV card. During this step, the end user will authenticate to the system and sign the request with their PIV card. This process is critical in that allows the end user to use their current PIV card for identity proofing.
Approve the PIV Derived Credential Request: In this process, an authorized individual will review the request and approve it. This separation of duties is important to ensure no one person can issue derived credentials without proper approvals.
Obtain a PIV derived: In this phase, the system instructs the registered device to generate the keys and obtain a certificate from the certificate authority. This process can be fully automated to make it as easy as possible for the end user.
How can I get started?
With the finalization of the NIST standards, now is a great time to start your PIV derived credential planning if you are just beginning, or time to optimize your infrastructure if you are already issuing PIV derived credentials. At the minimum, you should consider the following to get started:
Understand your mobile security needs: : Is your agency becoming dependent on mobile technologies to perform their tasks? Could business processes be streamlined through the introduction of secure mobile technologies?
See what you already have: Many agencies have current investments in mobile technologies. See if your agency has an existing Mobile Device Management (MDM) platform. If the answer is yes, leverage the MDM security features as a way to deliver derived credentials.
Start a pilot: Since every organization is unique, conducting a pilot can provide a very cost effective way to learn what works quickly without a large capital investment.
Communicate: Engage your mobility, security and end user groups. Explain how derived credentials can be utilized to improve operations and security.
Conclusion
The new PIV derived credential represents a remarkable evolution in mobility and security. Once properly understood, organizations can leverage this technology to truly do the impossible…simultaneously increase security while also lowering operating costs.
