Working to keep PIV credentials up-to-date

By: William Jackson
July 24, 2015

Facebooktwitterredditpinterestlinkedinmail

The government has issued millions of PIV cards containing digital credentials to federal employees and contractors. Although government still lags in using these credentials for secure access to IT systems, NIST is working to keep the credentials relevant in a mobile world.

The National Institute of Standards and Technology is asking for feedback on a proposal to enable wider use of standardized secure digital credentials to manage access to critical infrastructure and sensitive IT systems.

The digital credentials already exist. Over the last 10 years agencies have issued millions of Personal Identity Verification (PIV) cards to federal employees and contractors, smart ID cards that contain digital certificates that can be used for verifying identity, encryption and digital signatures. The goal of the PIV card was to create an interoperable ID that could be used not only for physical access, but also for logging on to government information systems.

Like many government programs, the PIV card hasn’t worked exactly as intended. Although the government has done a remarkable job in designing, producing and distributing the cards, only one in five civilian government employees was using the digital credentials to sign on to IT systems at the end of fiscal 2013. Still, NIST is doing its part to keep the credentials updated and relevant in the rapidly evolving world of IT.

Ten years ago, PIV credentialing focused on use with desktop and laptop PCs. “Today, the proliferation of mobile devices that do not have integrated smart card readers complicates PIV credentials and authentication,” NIST wrote in announcing the expansion effort. NIST is demonstrating the feasibility of a security platform based on PIV standards to support federal and non-federal systems such as critical infrastructure and other private sector systems. With this platform, credentials could be ported to mobile devices.

NIST is asking for comments by Aug. 14 on a draft paper explaining the program to use credentials derived from PIV standards. “Derived PIV credentials represent one possible way to PIV-enable a mobile device,” the paper says. “The document specifies the use of tokens on mobile devices in which derived PIV credentials and their corresponding private keys may be used.”

Guidelines for using derived PIV credentials have been released in Special Publication 800-157. This publication does not address use with mobile devices, but provides a general alternative for cases in which it would be impractical to use a physical PIV Card. Use of a derived token in a different form factor, such as a mobile device, could improve the usability of the credentials for authentication.

NIST has developed a proof-of-concept prototype platform for use of derived identity credentials in a mobile environment. Although the focus is on federal credentials, personal identity verification and strong, standardized identity-based security in mobile environments can be important to private sector as well as to government.

Expanding the good work that already has been done in establishing an interoperable standard for strong authentication using digital credentials is a laudable goal. If we could agencies to more consistently use the PIV credentials that employees already have, things would be even better.

A form for submitting comments on the draft paper is available online.