Modern Mobile Authentication for Derived PIV Credentials
Time rolls on
And that’s how it should be
Here and gone
Seems to move so quickly
— David Lee Roth (Damn Good)
It’s an exciting time to be alive.
Over the course of the next year or so, those of us who have been living in and compensating for a password-infected world will start to see light at the proverbial “end of the tunnel.” The FIDO2 WebAuthn protocol is a full on open standard — and support for this standard is heating up among the browser and identity folks. This is nothing but good news.
But while this is happening, over here in public sector land, we set out on a journey 15 years ago to solve the same problem. And while it hasn’t been all cotton candy and peanut butter, it (for the most part) did what it was designed to do. It created a mechanism that used PKI to solve a hard problem — the pervasive use of passwords and their inherent weakness as security constructs. It wasn’t easy and it didn’t come without a cost — a massive, massive cost. But it’s what we could do at the time, and the folks who were the backbone of this undertaking should be commended.
With all of this talk of change and modernization, we have to remember that we (here I mean the royal "we of government" and those who support the government) have a responsibility to maximize efficacy — AND — efficiency. And while these modernizing authentication capabilities are important (and they are majorly important) as the first verse in our Zero Trust melody, we also have to realize that some of this song was written before. And we’d be wise to incorporate what we can, when we can.
When NIST updated SP-800-63 to rev. 3, they did more than just make it okay to have alternatives to PIV/CAC (I’ve written about this before — here are my thoughts on OMB memo M-19-17). The forward-thinkers at NIST also envisioned a world where the flexibility extended to federating identities AND proving separation between the authentication and ID-proofing. This separation provides for maximum flexibility for agencies to solve their authentication and identification problems today and gives them a clear path to the future. This future will be modern, and this future will carry with it the common language of open standards — which is really the only way to achieve the flexibility and agility to keep up with the constantly changing (technology, culture, policy, etc.) environment.
“Change is the only constant in life” —Heraclitus of Ephesus
Here is an example of how this can be achieved in real life.
Duo has partnered with CyberArmed to deliver a PIV binding to modern multi-factor authentication. This is an example of leveraging the existing investment in PKI and strong-proofing to enroll a more modern, “off the shelf” authenticator, at scale, for many use cases where the PKI cannot play. All the while adhering to the standards (SP-800-63-3 for IAL3 and AAL2/3 as well as SP-800-157, the derived PIV specification).
Learn more about Duo Derived.
We are finally at the cusp of modernizing our enterprise identity infrastructures into future-forward, flexible capabilities that will be adaptable to changing everything. However, nothing can ever be a “rip and replace” conversation. We need to “bridge the gap” while maintaining our existing capabilities. These building blocks can help us do just that.