Strong authentication remains a cybersecurity priority under the Office of Management and Budget’s (OMB) cross-agency priority goals that were announced in the 2015 federal budget. In its 2015 budget report to Congress on the Federal Information Security Management Act (FISMA) compliance, OMB indicated nearly one-third of federal security incidents could have been prevented by strong authentication implementation.
With Homeland Security Presidential Directive 12 (HSPD-12), the Department of Defense’s (DoD) Directive 8100.2, various National Institute of Standards and Technology (NIST) guidance under the Federal Information Security Management Act (FISMA) and other agency directives all addressing some element of authentication, we can only expect that the discussion around proper and secure government authentication methods will continue.
Currently, government authentication and identity management is standardized on smart card technology to meet current mandates – common access card (CAC) for DoD, and personal identification verification (PIV) for their civilian counterparts.
Today, many hurdles remain when it comes to CAC and PIV’s integration with new technologies. Originally, the thought process in government was for every mobile application vendor to integrate smartcard middleware at the application level. But this approach was not only time consuming and costly for application developers, it also limited agency choice — because there is no one set of middleware that supports all readers. For example, one app may support a different set of readers than another – creating a cumbersome user experience and a complex support environment for IT administrators.
These integration discrepancies become elevated in the mobile realm. Thanks to middleware embedded in desktop computer operating systems, integration of CAC and PIV is basically plug-n-play for access. However, as mobility continues to be a priority across agencies to increase productivity, mission success and constituent services, agencies have hit hurdles with authentication on smartphones. At the end of the day, what it comes down to is smart cards and smartphones are not a smart match.
Difficulties that arise around smartphone integration begin with user experience. Smartphones running iOS and Android do not support CAC logon to the device, meaning users still need to utilize a traditional password to logon while also attaching a bulky reader to the device. This process of password logon in addition to CAC authentication must be completed each time a user needs to access a certain application and or data set – a cumbersome process.
Other challenges center on the cost of integrating smart card readers onto mobile devices. Today, smartphones do not have built-in smart card readers. Because of this, agencies tend to rely upon external readers that plug in or connect via Bluetooth, costing upwards of $150 each.
The future of authentication – decoupling the need of middleware
How do we circumvent the problems between smart cards and smartphones, as well as other mobile devices such as tablets? Today, some agencies have opted for a soft token approach – storing an alternative set of credentials directly on the smartphone. While this approach removes the need for bulky and expensive readers, it does not have a broad appeal as it’s essentially a second set of credentials in addition to those stored on a user’s smart card.
To further resolve smart card and soft token pitfalls, NIST has provided FIPS 201-2 and NIST SP 800-157 guidance specifically covering the use of a derived credential as a bridge between the two. Derived credentials, as the name implies, are derived from the credentials on a smart card and stored in soft token form. The credentials are secured using the hardware protection that a smartphone, tablet or other mobile device may offer.
Derived credentials have already picked up a lot of momentum in the federal space. Today, we are seeing the Air Force, Navy and Defense Information Systems Agency (DISA) look into derived credential initiative programs. Specifically, in September 2014, the Department of Defense CIO signed a memo allowing for a pilot program of its own to send secure emails on mobile devices utilizing derived credentials. A full rollout of this program is expected as early as July 2015.
Risk mitigation, biometrics … and beyond
While strong authentication is an important factor to maintaining secure access to government data and programs, it’s just the first step. Additional risk mitigation techniques should be part of every security defense approach. Risk mitigation includes verification of underlying operating systems and the applications themselvesto ensure they are providing the required security, policy management and compliance controls.
When looking at improvements around authentication in government agencies, it’s also important to consider multi-layer security, especially given that passwords are both antiquated and often easily compromised. In fact, even the President stressed the need for better, stronger security methods at the White House Cybersecurity Summit in February. Alternative authentication methods such as biometrics (including facial, voice and fingerprint authentication) offer additional layers of authentication in a potential multi-factor approach.
While these methods are not in use within government agencies today, we are starting to see pilots in motion. For example, in January 2015, it was announced that the US military is testing the use of cognitive fingerprints using behavior-based biometrics to confirm identities based off the way a person uses a device.
At the moment, these and several other future-proof authentication methods are still being developed. The slower pace of deployment within the government versus the private sector is limiting the potential of these technologies. As a result, federal agencies will need to implement solutions that allow quick and easy authentication deployment that supports mobile access while also supporting various authentication methods for the future.
In the meantime, while the detailed definition of derived credentials is still being interpreted, public sector agencies are taking steps in the right direction – maintaining robust security while offering an easy, seamless user experience, within agency budgets. We will likely see derived credential take the limelight when it comes to government authentication around mobility, and perhaps eventually replacing the CAC and PIV cards agency employees rely on today.
Eugene Liderman is director of product management, public sector, Good Technology.