Feds Move Toward Hardwired Credentials On Mobile Devices - InformationWeek
Government // Cybersecurity
02:34 PM

Feds Move Toward Hardwired Credentials On Mobile Devices

NIST proposes ways for mobile-device users to access government networks without requiring smart-card readers.

The National Institute of Standards and Technology (NIST) is soliciting comments on draft guidelines for authenticating mobile-device users accessing government networks. The guidelines expand on other standards for using digital credentials derived from personal identity verification (PIV) cards, given that many smartphones and tablets do not have smartcard readers to scan the PIV cards.

Special Publication 800-157 offers guidelines for implementing secure, standards-based public-key infrastructure (PKI) credentials without requiring a physical card reader. In this scenario, a digital token derived from credentials stored on the PIV card could be used as an alternative to the card in approved situations.

The most recent release of the Federal Information Processing Standard for PIV Cards (FIPS 201-2) included standards for using PIV-derived credentials with mobile devices. The new draft publication, Guidelines for Derived Personal Identity Verification (PIV) Credentials, provides requirements on: how to issue, maintain, and terminate credentials; certificate policies and cryptographic specifications; technical specifications for permitted cryptographic token types; and command interfaces for removable tokens.

Smart chip on a PIV card.  (Source: NIST)
Smart chip on a PIV card.
(Source: NIST)

Homeland Security Presidential Directive 12, published in 2004, mandated the PIV card to provide a common identification standard including digital data to be used across government for both logical and physical access. The card contains not only printed information and a photograph, but also digital information and cryptographic PKI keys on a smart chip. FIPS 201 was created in 2005 with standards for the card and its interfaces, which was then primarily used with desktop and laptop computers.

[Government agencies are looking for stronger security on mobile devices. See Smartphone Security: Two Shades Of Black.]

The draft publication said that "the use of PIV cards has proved challenging" with modern mobile devices. Most mobile devices do not have integrated smart-card readers, making it difficult to use the required PIV cards for access to federal resources.

Some devices, especially tablets aimed at the government market, now include smart-card readers, and separate readers also are available as add-ons. Devices enabled for Near Field Communications also could wirelessly connect with PIV cards using the card's contactless antenna at close range, but a secure channel between the card and device cannot always be ensured. When it's impractical to use card readers or NFC, the new standards and specifications will allow alternative forms of derived credentials, such as microSD or USB tokens, Universal Integrated Circuit Cards, or embedded circuits in the mobile device.

Comments on the draft guidelines should be sent by April 21 to piv_comments@nist.gov, using a provided Excel template.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

William Jackson is writer with the <a href="http://www.techwritersbureau.com" target="_blank">Tech Writers Bureau</A>, with more than 35 years' experience reporting for daily, business and technical publications, including two decades covering information ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/10/2014 | 6:11:37 PM
Re: Mobile buzz
I think that implementing a hardware solution is a good idea. This just makes it much harder for malicious actors to be able to break in - hardware is another gauntlet to get through. And it is a tough one to crack. 
User Rank: Author
3/7/2014 | 3:08:58 PM
Mobile buzz
DOD CIO Teri Takai spoke just this last week about the importance this development will have in the Defense Department's mobility strategy by eventually getting away from using PIV cards and and mobile card readers. The NIST doc is now up for 45 day comment. It will be interesting to see the response, especially since this will involve an encrypted hardware approach, not a software solution.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll