NCCoE Project Enables Users to Leverage Credential in Mobile Devices for Authentication to Information Systems

Derived Personal Identity Verification (PIV) Credentials project combines the security of a PIV Card with the flexibility of a mobile device

With the integration of mobile devices, including smartphones and tablets, into their daily lives people are changing how, where, and when they work. The office is no longer the only place where work gets done; users want access to the information they need using the devices that work best for them. Checking email or approving expense reports while out of the office are just a few examples of the flexibility that users desire to manage life in today’s fast-paced world.

However, what should users do when the work involves sensitive information? For example, federal employees and contractors handle a wide variety of information, some of which is sensitive, such as personally identifiable information (e.g. Social Security numbers, addresses, and birth dates). Access to this information needs to be restricted and security procedures have been established to provide additional levels of protection. These procedures require additional elements to verify the identity of the user, who typically uses computing devices such as laptops and desktops to access information systems. The requirement of additional elements, also known as factors, is referred to as multifactor authentication. When multifactor authentication is implemented, a user must present two authentication factors that can be from the following three categories:

  1. something you know (like a password or PIN)
  2. something you have (like a smart card or token)
  3. something you are (like your fingerprint)

The government issues Personal Identify Verification (PIV) Cards—a type of smart card—as the “something you have,” which is used in combination with the “something you know,” in this case a PIN. The use of PIV Cards leverages the identity proofing of existing authentication standards to keep information systems safe from malicious actors. (More information about the Homeland Security Presidential Directive-12 (HSPD-12) that mandated the common identification standard and the Federal Information Processing Standard (FIPS) 201 that specifies a common set of credentials in the PIV Card, is available online.)

While PIV Cards provide the strong security needed to protect sensitive systems, they also require a physical card reader to access the authentication information contained in the card. However, most mobile devices are not equipped with smart card readers.

To address this issue, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification Credentials, which describes an alternative token, the Derived PIV Credential that can be implemented and deployed directly with mobile devices (such as smartphones and tablets) to provide PIV-enabled authentication services on the mobile device to authenticate the credential holder to remote systems.

To demonstrate a practical application of this system, the NCCoE built a security architecture using commercially available technology that demonstrates life cycle management of derived PIV Credentials in mobile devices, and documented the work in draft NIST SP 1800-12, Derived Personal Identity Verification Credentials. This draft SP is a practice guide that organizations can reference as they work to establish multifactor authentication for information systems and websites from mobile devices that lack PIV Card readers.

“The NCCoE is focused on accelerating businesses' adoption of standards-based, security technologies,” said Tim McBride, deputy director of the NCCoE. “We do that by collaborating with technology innovators to demonstrate real-world, standards-based cybersecurity capabilities aimed at addressing sector-specific business challenges. Although the PIV program and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector’s needs, our practice guide is relevant to private sector organizations who have smart card infrastructures who are also looking to move their identity credentials into mobile devices.”

A second draft of this practice guide is currently under development that will incorporate public comments on the draft and expands beyond using a cloud-based Credential Management System (CMS) to issue derived PIV Credentials to a managed mobile device using ICAM shared services. The second draft’s reference architectures use an enterprise CMS to issue credentials to (1) a software container and (2) to a hardware container to provide a convenient and secure means to authenticate a user’s identity. The anticipated publication date of the second draft practice guide is June 2018.