PIV Cards Are Compatible with Cloud-Based Web Applications
Federal IT managers who have been thinking about zero trust and how it relates to existing FICAM compliant authentication systems need to know about advances in the commercial space that may affect them.
Let’s take a few seconds to review how PIV cards work. PIV cards contain digital certificates and, more important, private keys assigned to each user.
The digital certificate, issued by some certification authority (CA) within the federal PKI tree, describes the user’s identity. The private key is used with public/private cryptography to prove that the user is in control of the PIV card and has it at the moment of authentication.
This certificate-based authentication is widely supported in most enterprise web applications, desktop and laptop operating systems, and VPN applications.
As any PIV user knows, this method of authentication is extremely resistant to credential theft, which makes it very secure.
The main issue with PIV-based authentication is that it is based on a walled garden within the federal PKI tree. This makes enrollment in PIV a cumbersome and time- consuming process, and one which is not friendly to contractors or other third parties.
PIV cards have other limitations that affect both usability and security. They are poorly supported on mobile devices, require some additional reader hardware, and the physical user must be present.
EXPLORE: How agencies are implementing zero trust and modernization.
FIDO2: If PIV Had Been Invented 20 Years Later
While PIV is dominant in the federal private infrastructure, cloud and enterprise application vendors are exploring new ways to combine the passwordless security of certificate-based authentication with other enrollment models.
The FIDO2 standards, coordinated by the Fast Identity Online (FIDO) Alliance, and their interoperability with , coordinated by the World Wide Web Consortium, are the most important new technologies to know about.
The FIDO Alliance made a big splash earlier this year when Microsoft, Apple and Google, along with the Cybersecurity and Infrastructure Security Agency, announced their commitment to pushing FIDO2 into desktop and mobile platforms, browsers and web services.
From a cryptographic protocol point of view, FIDO2 delivers equivalent security to PIV authentication. However, the deployment model is very different. FIDO2 is designed for massive scalability beyond the capabilities of current PKI systems, and it uses a direct registration by the user (with a cryptographic token) to create the public/private key pairs.
With FIDO2, rather than using a single certificate to authenticate to multiple devices, applications and networks, the user has many cryptographic keys. Each key is assigned for a different purpose, whether that’s one or a group of web applications, VPN access or even SSH terminal access.
Find out how to become an Insider by clicking on the banner.