Oct 10 2022

Federal Identity Cards Must Adapt to Changing Security Environments

As zero trust becomes more entrenched, traditional PIV and CAC cards will have to adapt.

For nearly two decades, the federal government, led by the Department of Defense, has been at the forefront of strong authentication, jumping far ahead of most private sector enterprises.

Smart card authentication — based on digital certificates, a federal public key infrastructure (PKI), well-defined identity assurance levels and a physical access card — has been in place at federal agencies for many years.

Personal identity verification (PIV) cards have been in use in most large federal environments. The Federal Identity, Credential and Access Management program (FICAM) includes an overall architecture, lists of approved products and playbooks, all focused on identity and access management.

However, as the commercial and enterprise IT markets slowly catch up to better authentication and credential management, some gaps are opening between existing federal IAM and common practices in commercial environments.

Zero-Trust Envrionment

Some Gaps Exist Between Cloud and Federal IT Systems

For example, FICAM has a well-defined set of assurance levels used to verify a person’s identity before issuing credentials, with specific requirements for identity proofing. In the commercial environment, the exact process to prove identity is always a local matter, with no common standards or processes.

This gap is just one example. There are many others, and these gaps make it difficult to create interoperable credentials between commercial cloud-based systems and federal IT systems.

A second major force is the federal zero-trust strategy, made very real by the January 2022 release of the Office of Management and Budget’s M-22-09 memorandum, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.”

Zero trust, above all, is based on strong authentication and identity management principles. However, it goes further by mandating device posture checking, micro-segmentation in data centers, application-layer identity checking, heavy use of network encryption, cloud-based access to applications and automated security monitoring.

To make optimum use of commercial off-the-shelf (COTS) products in federal agencies, traditional PIV card technology will need to be adjusted to handle this new emphasis on zero-trust principles.

Click on the banner below to learn more about cybersecurity solutions.

PIV Cards Are Compatible with Cloud-Based Web Applications

Federal IT managers who have been thinking about zero trust and how it relates to existing FICAM compliant authentication systems need to know about advances in the commercial space that may affect them.

Let’s take a few seconds to review how PIV cards work. PIV cards contain digital certificates and, more important, private keys assigned to each user.

The digital certificate, issued by some certification authority (CA) within the federal PKI tree, describes the user’s identity. The private key is used with public/private cryptography to prove that the user is in control of the PIV card and has it at the moment of authentication.

This certificate-based authentication is widely supported in most enterprise web applications, desktop and laptop operating systems, and VPN applications.

As any PIV user knows, this method of authentication is extremely resistant to credential theft, which makes it very secure.

The main issue with PIV-based authentication is that it is based on a walled garden within the federal PKI tree. This makes enrollment in PIV a cumbersome and time- consuming process, and one which is not friendly to contractors or other third parties.

PIV cards have other limitations that affect both usability and security. They are poorly supported on mobile devices, require some additional reader hardware, and the physical user must be present.

EXPLORE: How agencies are implementing zero trust and modernization.

FIDO2: If PIV Had Been Invented 20 Years Later

While PIV is dominant in the federal private infrastructure, cloud and enterprise application vendors are exploring new ways to combine the passwordless security of certificate-based authentication with other enrollment models.

The FIDO2 standards, coordinated by the Fast Identity Online (FIDO) Alliance, and their interoperability with , coordinated by the World Wide Web Consortium, are the most important new technologies to know about.

The FIDO Alliance made a big splash earlier this year when Microsoft, Apple and Google, along with the Cybersecurity and Infrastructure Security Agency, announced their commitment to pushing FIDO2 into desktop and mobile platforms, browsers and web services.

From a cryptographic protocol point of view, FIDO2 delivers equivalent security to PIV authentication. However, the deployment model is very different. FIDO2 is designed for massive scalability beyond the capabilities of current PKI systems, and it uses a direct registration by the user (with a cryptographic token) to create the public/private key pairs.

With FIDO2, rather than using a single certificate to authenticate to multiple devices, applications and networks, the user has many cryptographic keys. Each key is assigned for a different purpose, whether that’s one or a group of web applications, VPN access or even SSH terminal access.

Find out how to become an Insider by clicking on the banner.

How Do FIDO2 and PIV Compare?

FIDO2 uses the term “passkey” to describe the public/private key pairs. One of the advantages of FIDO2 is that these can be stored on dedicated hardware tokens, as with PIV cards, or can be stored in the security processors and TPM modules of mobile and desktop devices. This delivers end users a wider range of options for carrying their identity credentials.

Another advanced feature of FIDO2 is that a user can have personal credentials stored on a mobile device, such as an agency-issued cellphone, but use those credentials to authenticate to an application with a desktop or laptop. In this case, Bluetooth is used to verify that the mobile device and laptop are near each other.

PIV and FIDO2 authentication also differ in their ability to support multiple devices. With PIV, each user has a single card with individual credentials. With FIDO2, users can securely synchronize their passkeys between devices, if this is allowed by the application.

Alternatively, FIDO2 makes it easy for a user to have multiple devices registered simultaneously, if the application allows. This highlights another benefit of FIDO2 over PIV: It’s not a one-size-fits-all type of system.

Applications can decide whether users can have multiple devices registered and what types of security devices are allowed.

DIVE DEEPER: Learn how multifactor authentication can strengthen identity authorization.

Which Authentication Methods Work Best with Zero Trust?

FIDO2 is also much friendlier to zero-trust requirements, such as modifying authentication and trust based on environmental information. For example, an application might decide that a user who entered a PIN or presented a biometric 30 minutes before is still OK if the app believes the user is in a known location.

However, if the user is at home or in some other untrusted location, the application could dynamically select a different authentication path, requiring the user to re-enter the PIN. This can be decided on an application-by-application basis, allowing the IT manager to balance risk appetite and security level with user experience.

Federal IT managers can explore the world of FIDO2 easily, as FIPS-approved tokens are available in small quantities at very reasonable cost.

While PIV isn’t going away soon, agency IT teams looking to chart their path to zero trust should investigate newer authentication technologies, such as FIDO2 and WebAuthn, as part of their journey.

Click this link to keep up with all of FedTech's Cybersecurity Awareness Month coverage.

Getty Images: BrianAJackson (chest); shapecharge (face); Poligrafistka (capital logo)

aaa 1

Register