In an effort to secure sensitive data and protect critical assets, IT and security leaders in highly regulated industries, including the U.S. federal government, mandate strong authentication tied to their mobile employees’ smart/personal identity verification (PIV) card for corporate app and resource access. Considering the physical validation associated with issuing a smart/PIV card, it is considered a safe and trusted source of identity for resource access.

While accessing physical resources does not pose much of a user experience challenge when completed on desktops and laptops, the experience is very poor when it comes to smart/PIV card-based access on mobile devices.

Attend the webinar to learn more

Where Traditional Smart Card Methods Fail

Traditional approaches to this problem required an external smart card reader connected via USB or Bluetooth. While these technically worked, the experience was poor, expensive and restrictive to the notion of mobility. Among the reasons for this less-than-ideal user experience are:

  • Smart card readers are bulky and unaffordable;
  • Attaching or tethering an external smart card reader to a smartphone or tablet creates usability and portability issues; and
  • Smart card readers do not natively integrate with mobile operating systems and, therefore, can only be used by third-party applications.

These issues often prevent companies from boosting productivity by allowing employees to access corporate resources from their mobile devices, leaving highly regulated organizations behind in the mobile and digital transformation journey.

Embracing Derived Credentials for Strong Authentication

To address this challenge, the National Institute of Standards and Technology (NIST) endorsed the concept of derived credentials. A derived PIV credential is a new a digital certificate stored on a mobile device that is derived from the trust of a valid PIV card.

In discussions with public key infrastructure (PKI) vendors, NIST published Special Publication 800-157, which details the agency’s “Guidelines for Derived Personal Identity Verificiation (PIV) Credentials.” While the concept of derived credentials took shape, the implementation of the solution had its own challenges around ensuring both security and ease of use.

Integrating the PKI infrastructure with the right unified endpoint management (UEM) solution addresses most of these technical and end user challenges while delivering scalability and security, adherence to NIST guidelines, and ease of deployment and use.

Having the right UEM solution that integrates with the PKI infrastructure allows organizations to:

  • Seamlessly integrate derived PIV credential creation, issuance and renewals;
  • Provide strong multifactor authentication (MFA) to a wide range of resources, including native profiles, email, PIV-enabled websites and third-party apps;
  • Extend simplified authentication options for nonmobile endpoints such as desktops and laptops; and
  • Cut costs by incorporating the user’s previously established PIV identity into the new derived PIV credential, thereby eliminating the need for further identity proofing.

Learn More

Join us for a live webinar on Oct. 30 to learn how IBM MaaS360 with Watson UEM and Entrust Datacard developed an integrated derived PIV credentials solution that solves the strong authentication challenges experienced by IT and security professionals in highly regulated industries.

Attend the webinar to learn more

More from Endpoint

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…