The National Institute of Standards and Technology (NIST) is soliciting comments on draft guidelines for authenticating mobile-device users accessing government networks. The guidelines expand on other standards for using digital credentials derived from personal identity verification (PIV) cards, given that many smartphones and tablets do not have smartcard readers to scan the PIV cards.

Special Publication 800-157 offers guidelines for implementing secure, standards-based public-key infrastructure (PKI) credentials without requiring a physical card reader. In this scenario, a digital token derived from credentials stored on the PIV card could be used as an alternative to the card in approved situations.

The most recent release of the Federal Information Processing Standard for PIV Cards (FIPS 201-2) included standards for using PIV-derived credentials with mobile devices. The new draft publication, Guidelines for Derived Personal Identity Verification (PIV) Credentials, provides requirements on: how to issue, maintain, and terminate credentials; certificate policies and cryptographic specifications; technical specifications for permitted cryptographic token types; and command interfaces for removable tokens.

Homeland Security Presidential Directive 12, published in 2004, mandated the PIV card to provide a common identification standard including digital data to be used across government for both logical and physical access. The card contains not only printed information and a photograph, but also digital information and cryptographic PKI keys on a smart chip. FIPS 201 was created in 2005 with standards for the card and its interfaces, which was then primarily used with desktop and laptop computers.

[Government agencies are looking for stronger security on mobile devices. See Smartphone Security: Two Shades Of Black.]

The draft publication said that "the use of PIV cards has proved challenging" with modern mobile devices. Most mobile devices do not have integrated smart-card readers, making it difficult to use the required PIV cards for access to federal resources.

Some devices, especially tablets aimed at the government market, now include smart-card readers, and separate readers also are available as add-ons. Devices enabled for Near Field Communications also could wirelessly connect with PIV cards using the card's contactless antenna at close range, but a secure channel between the card and device cannot always be ensured. When it's impractical to use card readers or NFC, the new standards and specifications will allow alternative forms of derived credentials, such as microSD or USB tokens, Universal Integrated Circuit Cards, or embedded circuits in the mobile device.

Comments on the draft guidelines should be sent by April 21 to [email protected], using a provided Excel template.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.