Enterprise ID specs fail to catch on
From “identity standard of the future” to a likely sad footnote for bygone smart card specifications, PIV-I has had quite a ride.
Just three-years ago experts predicted it would be deployed not only for government contractors but across enterprises markets as well. Seven companies are cross-certified with the federal bridge to issue high-assurance PIV-I credentials on behalf of other organizations, but only a few of them are actually doing it. “Costly and complex” is the universal answer when insiders are asked why PIV-I and its less-assured little brother CIV aren’t being used in smart card deployments.
The other issue is that despite the original promise, PIV-I credentials aren’t really authorized for use within the federal government. So while some government contractors might be using the specification, employees who are contracted at different agencies are still being issued separate PIV credentials for access to facilities and systems. “There’s no mandate for PIV-I within the federal government,” says Steve Howard, vice president of credentials at CertiPath, a PIV-I issuer and one of the founders of the smart card specification.
The idea for PIV-I began around 2006 when the Federal PKI Policy Chair, the Federal PKI Management Authority and CertiPath saw a need for a credential that could be carried by contractors and used at federal agencies and within that contractor’s own physical and logical access systems. The spec was intended for government contractors working on a job for six months or less, as anything more than six months requires a background check and a PIV card.
Two-years ago a group of contractors lobbied the White House Office of Management and Budget to change this rule so that contractors with PIV-I could use those credentials instead of having to receive a federal-issued PIV. The response was that agencies weren’t concerned, so there wasn’t a need to change the rule.
Because federal agencies aren’t accepting PIV-I, there has been little issuance in that space. At one point, however, there was a lot of buzz around enterprises not associated with the federal government issuing credentials via the specification.
Since PIV-I was standardized, the assumption was that products would be readily available, security would be high and as many organizations began using it, costs would fall.
This belief gave rise to another acronym, CIV or Commercial Identity Verification. CIV leverages the PIV-I specifications, technology and data model, but it does not require cross certification to the Federal Bridge. Any enterprise can create, issue and use CIV credentials according to their own requirements. It’s basically PIV-I without the government-mandated identity assurance.
This mass deployment of PIV-I and CIV, however, hasn’t come to pass. A few financial services companies and health care institutions are considering deployment because the PKI security is attractive to them, Howard says. But that is about it.
Wells Fargo might be the largest to announce a PIV-I/CIV deployment, but the financial institution declined to provide an update on the project’s rollout. At the Smart Card Alliance’s Smart Cards in Government show in 2013, Brian Keltner, information security engineer for smart card access management at Wells Fargo, said that FIPS 201 and CIV were attractive because it’s a standards-based solution, interoperable, federates and increases levels of assurance to make policy requirements.
According to Keltner, the bank was issuing 5,000 credentials each month across the country. The IDs used PKI validation for both physical and logical access control. CIV Authentication Certificates were used for authentication to end points and network applications and for authentication at door readers. CIV was attractive because it was based on PIV and PIV-I standards but also enabled local policies to be added.
Unless you’re a large organization needing the highest levels of security there hasn’t been much of a call for the specifications. “Going down the PIV-I route requires a significant commitment,” says Randy Vanderhoof, executive director at the Smart Card Alliance “Cost is still a big barrier, as is complexity. Enterprises need to make tough business decisions on how much to invest and look at the alternatives out there.”