The National Institute of Standards and Technology (NIST) this month released draft guidance on derived credentials for authenticating mobile devices on federal networks.
Users who want to logon to a sensitive federal computer typically must insert their Personal Identity Verification (PIV) cards–called Common Access Cards (CAC) at the Department of Defense–into the machine. This creates a challenge for smartphones and tablets that are too small for an internal card reader. A derived credential solves this problem by storing the authenticating information on the device itself, eliminating the need for a card.
“The way forward is increased emphasis on derived credentials,” according to Defense Department Senior Engineer Mark Norton, who spoke at the Federal Mobile Computing Summit on March 7.
Norton said that 10 years have been spent perfecting the CAC, but he hopes the electronic version will only take several years. He acknowledged that there may be several ways to create a derived credential and that the department is currently exploring options already used in industry.
“We’ll probably tag onto an existing one,” he said.
DoD and other agencies prefer a derived credential as opposed to taking on the expense of purchasing special PIV/CAC readers for mobile devices, Norton said. Employees would also have to carry around the readers and be trained on how to use them, eliminating some of the convenience that mobile devices provide.
The NIST guidance (800-157) will encourage more exploration of derived credentials. It will also provide standards for developers who are interested in marketing their solutions to the government. The guidance includes technical requirements, such as “certificate policies, cryptographic specifications, types of cryptographic implementation that are permitted and mechanisms for activation and use of the credential.”
The draft guidance will be available for public comment for 45 days.