In an effort to secure sensitive data and protect critical assets, IT and security leaders in highly regulated industries, including the U.S. federal government, mandate strong authentication tied to their mobile employees’ smart/personal identity verification (PIV) card for corporate app and resource access. Considering the physical validation associated with issuing a smart/PIV card, it is considered a safe and trusted source of identity for resource access.
While accessing physical resources does not pose much of a user experience challenge when completed on desktops and laptops, the experience is very poor when it comes to smart/PIV card-based access on mobile devices.
Where Traditional Smart Card Methods Fail
Traditional approaches to this problem required an external smart card reader connected via USB or Bluetooth. While these technically worked, the experience was poor, expensive and restrictive to the notion of mobility. Among the reasons for this less-than-ideal user experience are:
- Smart card readers are bulky and unaffordable;
- Attaching or tethering an external smart card reader to a smartphone or tablet creates usability and portability issues; and
- Smart card readers do not natively integrate with mobile operating systems and, therefore, can only be used by third-party applications.
These issues often prevent companies from boosting productivity by allowing employees to access corporate resources from their mobile devices, leaving highly regulated organizations behind in the mobile and digital transformation journey.
Embracing Derived Credentials for Strong Authentication
To address this challenge, the National Institute of Standards and Technology (NIST) endorsed the concept of derived credentials. A derived PIV credential is a new a digital certificate stored on a mobile device that is derived from the trust of a valid PIV card.
In discussions with public key infrastructure (PKI) vendors, NIST published Special Publication 800-157, which details the agency’s “Guidelines for Derived Personal Identity Verificiation (PIV) Credentials.” While the concept of derived credentials took shape, the implementation of the solution had its own challenges around ensuring both security and ease of use.
Integrating the PKI infrastructure with the right unified endpoint management (UEM) solution addresses most of these technical and end user challenges while delivering scalability and security, adherence to NIST guidelines, and ease of deployment and use.
Having the right UEM solution that integrates with the PKI infrastructure allows organizations to:
- Seamlessly integrate derived PIV credential creation, issuance and renewals;
- Provide strong multifactor authentication (MFA) to a wide range of resources, including native profiles, email, PIV-enabled websites and third-party apps;
- Extend simplified authentication options for nonmobile endpoints such as desktops and laptops; and
- Cut costs by incorporating the user’s previously established PIV identity into the new derived PIV credential, thereby eliminating the need for further identity proofing.
Join us for a live webinar on Oct. 30 to learn how IBM MaaS360 with Watson UEM and Entrust Datacard developed an integrated derived PIV credentials solution that solves the strong authentication challenges experienced by IT and security professionals in highly regulated industries.