Feds Move Toward Hardwired Credentials On Mobile Devices - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

Feds Move Toward Hardwired Credentials On Mobile Devices

NIST proposes ways for mobile-device users to access government networks without requiring smart-card readers.

The National Institute of Standards and Technology (NIST) is soliciting comments on draft guidelines for authenticating mobile-device users accessing government networks. The guidelines expand on other standards for using digital credentials derived from personal identity verification (PIV) cards, given that many smartphones and tablets do not have smartcard readers to scan the PIV cards.

Special Publication 800-157 offers guidelines for implementing secure, standards-based public-key infrastructure (PKI) credentials without requiring a physical card reader. In this scenario, a digital token derived from credentials stored on the PIV card could be used as an alternative to the card in approved situations.

The most recent release of the Federal Information Processing Standard for PIV Cards (FIPS 201-2) included standards for using PIV-derived credentials with mobile devices. The new draft publication, Guidelines for Derived Personal Identity Verification (PIV) Credentials, provides requirements on: how to issue, maintain, and terminate credentials; certificate policies and cryptographic specifications; technical specifications for permitted cryptographic token types; and command interfaces for removable tokens.

Smart chip on a PIV card.  (Source: NIST)
Smart chip on a PIV card.
(Source: NIST)

Homeland Security Presidential Directive 12, published in 2004, mandated the PIV card to provide a common identification standard including digital data to be used across government for both logical and physical access. The card contains not only printed information and a photograph, but also digital information and cryptographic PKI keys on a smart chip. FIPS 201 was created in 2005 with standards for the card and its interfaces, which was then primarily used with desktop and laptop computers.

[Government agencies are looking for stronger security on mobile devices. See Smartphone Security: Two Shades Of Black.]

The draft publication said that "the use of PIV cards has proved challenging" with modern mobile devices. Most mobile devices do not have integrated smart-card readers, making it difficult to use the required PIV cards for access to federal resources.

Some devices, especially tablets aimed at the government market, now include smart-card readers, and separate readers also are available as add-ons. Devices enabled for Near Field Communications also could wirelessly connect with PIV cards using the card's contactless antenna at close range, but a secure channel between the card and device cannot always be ensured. When it's impractical to use card readers or NFC, the new standards and specifications will allow alternative forms of derived credentials, such as microSD or USB tokens, Universal Integrated Circuit Cards, or embedded circuits in the mobile device.

Comments on the draft guidelines should be sent by April 21 to [email protected], using a provided Excel template.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

William Jackson is writer with the <a href="http://www.techwritersbureau.com" target="_blank">Tech Writers Bureau</A>, with more than 35 years' experience reporting for daily, business and technical publications, including two decades covering information ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/10/2014 | 6:11:37 PM
Re: Mobile buzz
I think that implementing a hardware solution is a good idea. This just makes it much harder for malicious actors to be able to break in - hardware is another gauntlet to get through. And it is a tough one to crack. 
User Rank: Author
3/7/2014 | 3:08:58 PM
Mobile buzz
DOD CIO Teri Takai spoke just this last week about the importance this development will have in the Defense Department's mobility strategy by eventually getting away from using PIV cards and and mobile card readers. The NIST doc is now up for 45 day comment. It will be interesting to see the response, especially since this will involve an encrypted hardware approach, not a software solution.
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll