NIST Plans Secure Mobile Access GuidesPreparing Alternative to Personal Identity Verification Cards
The National Institute of Standards and Technology is drafting guidance to help agencies provide stronger security when allowing access to federal government systems from mobile devices.
The current federal approach to electronic authentication requires the use of personal-identity verification, or PVI, cards. "This works reasonably well with desktop and laptop computers, but not necessarily for mobile devices," explains Hildegard Ferraiolo, a NIST computer scientist who leads the agency's personal identity verification initiative. "For mobile devices, it require bulky add-on readers or near-field communication."
Near-field communications is a smart phone standard that allows exchange of signals between devices a few inches apart.
The goal of the guidance - Special Publication 800-157 Draft: Guidelines for Derived Personal Identity Verification Credentials and Interagency Report 7981 Draft: Mobile, PIV and Authentication - is to provide alternative approaches to authentication with mobile devices without the need of add-on readers, Ferraiolo says. Instead of PIV cards, she says, a derived PIV credential would be incorporated in the mobile device to provide for a more convenient and secure experience.
A derived PIV credential would leverage identity proofing of existing valid credentials. Services that offer identity proofing verify individual's identities before the enterprise issues them accounts and credentials. In some instances, proof can be provided through a user having a valid PIV card. The federal government has been issuing PIV cards for nearly a decade; in 2004, President Bush signed Homeland Security Presidential Directive-12, which created a governmentwide standard for secure and reliable forms of identification.
To achieve interoperability with the PIV infrastructure and its applications, a derived PIV credential is considered a public-key infrastructure credential.
"Federal departments and agencies will have to explore ways to integrate the new credential within their existing identity management system," Ferraiolo says.
The SP 800-157 Draft includes requirements for initial issuance, maintenance and termination of the mobile device credentials; certificate policies and cryptographic specifications; technical specifications for permitted cryptographic token types; and the command interfaces for the removable implementations of such cryptographic tokens.
The IR 7981 Draft analyzes options for remote authentication from mobile devices that leverage an investment in the PIV infrastructure and the distinctive security capabilities of mobile devices.
Trends in the mobile device ecosystem call for a flexible electronic authentication policy that allows for close integration between the credential and the mobile device, Ferraiolo says.
NIST is seeking comments from stakeholders on both drafts by April 21. Submit suggestions to firstname.lastname@example.org.