PIV and multi-factor authentication
Ensuring security in an increasingly mobile, global and flexible economy
14 March, 2016
category: Corporate, Digital ID, Government, Smart Cards
An emerging PIV ecosystem: logical and physical convergence
Many federal entities have already leveraged PIV cards as strong multi-factor authentication credentials for internal logical access. We also have seen additional mandates such as OMB Memorandum M-11-11 that requires the usage of PIV cards for physical access.
These mandates have created an ecosystem from a variety of vendors like Microsoft and HID Global that are laying the groundwork for future adoption. Microsoft has supported PIV for login, as well as digital signing and encryption, starting with Windows 7. Several commercial vendors now produce physical access card readers and physical access control systems (PACS) that support the PIV standards.
Federal agencies have already made tremendous strides in implementation. Last June, the Department of Veterans Affairs (VA), implemented a policy to make PIV cards mandatory on VA information systems. Furthermore, this includes those accessing the network with elevated privileges.
That effort appears to be paying off. In its December monthly report to Congress, the VA saw a more than 60% decrease in personal-health-information-related data breaches since November.
Meanwhile, late last year, the U.S. Census Bureau began testing derived credentials from PIV for use in mobile technology and smartphones in preparation for the 2020 census. The goal is to trim logistical inefficiencies from its data-gathering duties, which in 2010 cost U.S. taxpayers an estimated $17.8 billion, a 56% increase from 2000.
The lessons learned from the U.S. Census Bureau will also benefit the private sector. Mission critical industries, largely considered conservative regarding IT, such as energy, utilities and waste treatment, are leading the way in the percentage of users logging into work only on mobile devices.
A security panacea?
PIV, PIV-I and PIV-CIV remain the strongest credentials to replace passwords and offer multi-factor authentication required to address cybersecurity threats. PIV-CIV, in particular, is flexible and can match all the security requirements of the commercial enterprise. While these credentials offer the highest level of security available today, there will never be one credential to rule them all.
PIV, PIV-I and PIV-CIV are the strongest credentials to replace passwords and offer multi-factor authentication required to address cybersecurity threat
Other lower-strength authentication methods, such as one-time password tokens, will continue to serve their purpose in the appropriate context. Overall, there will be a continuing need for credentials to match the level of risk or trust necessary to control access to resources and services.
For PIV-I and PIV-CIV, the future is now
After experiencing a number of hurdles on its journey to becoming the robust system it represents today, the PIV framework is, and will remain, the gold standard for multi-factor authentication in the current cybersecurity landscape.
The damage wrought by high-profile hacks within the government and private sectors has laid bare the tremendous cost of insufficient security measures, casting new light upon the cost-benefit analysis of investing in the world’s most robust security options. In short, the world’s most sensitive governmental organizations and industries can no longer afford not to implement a multi-factor authentication process with PIV, PIV-I or PIV/CIV.
By leading the way to a more secure future, the federal government continues to create and implement the standard set of practices and technologies required to raise security standards across the globe. In time, the on-going effort will hopefully one day make large cybersecurity breaches a piece of business history.
Authors:
Ahmed is CIO and senior vice president of Technical Services for SureID. Becquart is vice president of Operations and Marketing for Axiad IDS.