PIV and multi-factor authentication
Ensuring security in an increasingly mobile, global and flexible economy
14 March, 2016
category: Corporate, Digital ID, Government, Smart Cards
By Abrar Ahmed, SureID and Jerome Becquart, Axiad IDS
The U.S. Office of Personnel Management (OPM) addressed security vulnerabilities in its Federal “Cybersecurity Sprint,” stating that cybersecurity poses some of the most serious economic and security challenges of this century. In June, the Obama Administration noted the need to “dramatically accelerate implementation of multi-factor authentication” as a crucial step to improve cybersecurity.
To that end, the Defense Department has already deployed the Common Access Card (CAC) for its personnel and the Personal Identity Verification (PIV) for government employees. It is now recommending the Personal Identity Verification-Interoperable (PIV-I) cards to enable multi-factor authentication for its contractor base.
This credential system also supports multi-factor identity authentication with photo, fingerprints and a PIN, representing the most effective way of addressing security vulnerabilities both online and on-premise. It’s a win-win for federal agencies and its diverse user groups given that it works seamlessly across a wide range of physical and logical access control systems.
Why PIV/PIV-I?
The foundation for trust enabled by PIV/PIV-I lies in the identity proofing and issuance requirements associated with high levels of assurance credentials. The federal government has made specific policy guidelines for various levels of trust associated with different credential types, referred to as “Assurance Level.”
This federal policy identifies four levels of assurance with level one being the lowest, requiring no identity verification — think of online email or commercial web sites allowing anonymous, unverified users to create accounts — and level four representing the highest trust assurance possible. PIV/PIV-I credentials are considered “Level of Assurance Four” or LOA4 for the requirements of in-person identity proofing, hardware-based digital certificate storage and secure issuance policy so the correct person receives the correct credential.
This year, entities contracting with the federal government may need to increase the deployment and usage of PIV-I credentials for multi-factor authentication. U.S. CIO Tony Scott said he wants to get to 100% use of PIV cards for privileged users of federal systems by the end of President Obama’s term. As a result, federal agencies have stepped up their efforts deploy PIV and PIV-I for both privileged and non-privileged users.
This program will not only bring greater security to the government and its contractors, but it also provides a security model that private enterprise can adopt to prevent the next big security breach.
PIV for commercial enterprise: PIV-Civilian (PIV-CIV)
Security breaches are not an option, especially for organizations for which a breach could have a highly damaging impact, such as global financial institutions conducting multi-million dollar transactions, companies handling sensitive personal health records or nuclear power plants managing mission-critical assets.
The efficiency and ubiquity of the PIV-I model—or PIV-CIV when used in the commercial space—more than offsets the initial investment in time and resources when literally billions of dollars worth of assets and information are on the line.
Furthermore, the PIV framework provides the flexibility to manage increasingly diverse workforces that demand more options for when and how work is conducted. Great strides have been made in recent years to make this framework more accessible.
Derived credentials for mobile workforces
Since the PIV standard was first introduced in the previous decade, the nature of work and how it is conducted has continued to evolve. As workforces become more mobile and flexible—increasingly working remotely from a variety of geographical locations on a variety of devices—multi-factor authentication that leverages a secure digital identity can greatly reduce the threat of cybersecurity breaches.
Today, many laptops include smart card reading capabilities and combined with Microsoft Windows’ native support for PIV/PIV-I, a mobile user can log on with the same identity assurance and access privileges as within the workplace.
With work increasingly conducted on mobile platforms and devices, cardholders may also benefit from “derived credentials,” which are carried on mobile devices instead of the card.
This option provides a cost-effective alternative to adding smart card readers to mobile devices or replacing machines that don’t support the form factor. It also improves productivity, accommodating employees who prefer to use their personal mobile devices for work.
Additionally, mobile devices increasingly offer biometric validation, such as facial recognition and fingerprint scanning that could be leveraged in conjunction with the PIV/PIV-I derived credential.