NCCOE Identity Projects

Special Publication SP 1800-12, Derived Personal Identity Verification (PIV) Credentials

In 2005, Personal Identity Verification (PIV) credentialing focused on authentication through traditional computing devices, such as desktops and laptops, where a PIV card would provide a common authentication through integrated smart card readers. Today, the proliferation of mobile devices that do not have integrated smart card readers complicates PIV credentials and authentication.

Derived Personal Identity Verification (PIV) Credentials helps organizations authenticate individuals who use mobile devices and need secure access to information systems and applications.

The project demonstrates a feasible security platform based on federal PIV standards that leverages identity proofing and vetting results of current and valid PIV credentials to enable two-factor authentication to information technology systems via mobile devices while meeting policy guidelines. Although the PIV program and the NCCoE Derived PIV Credentials project are primarily aimed at the federal sector’s needs, both are relevant to mobile device users in the commercial sector using smart card-based credentials or other means of authenticating identity and supports operations in federal (PIV), non-federal critical infrastructure (PIV-interoperable or PIV-I), and general business (PIV-compatible or PIV-C) environments.

The NCCoE released a final version of the NIST Cybersecurity Practice Guide SP 1800-12 Derived Personal Identity Verification (PIV) Credentials on August 27, 2019.

Special Publication SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders

On-demand access to public safety data is critical to ensuring that public safety and first responder (PSFR) personnel can deliver the proper care and support during an emergency. This requirement necessitates heavy reliance on mobile platforms that may be used by PSFR personnel to access sensitive information, such as personally identifiable information, law enforcement sensitive information, and protected health information. However, complex authentication requirements can hinder the process of providing emergency services, and any delay—even seconds—can become a matter of life or death.

In collaboration with NIST’S Public Safety Communications Research lab and industry stakeholders, the NCCoE aims to help PSFR personnel efficiently and securely gain access to mission data via mobile devices and applications. This practice guide describes a reference design for multifactor authentication and mobile single sign-on for native and web applications while improving interoperability among mobile platforms, applications, and identity providers, regardless of the application development platform used in their construction. This NCCoE practice guide details a collaborative effort between the NCCoE and technology providers to demonstrate a standards-based approach that uses commercially available and open‑source products.

The NCCoE recently released a second draft of NIST Cybersecurity Practice Guide SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders. This revision of the guide was updated at request of the public safety community to incorporate iOS version 12. The project's public comment period closed on June 28, 2019

Special Publication SP 1800-17, Multifactor Authentication for E-Commerce

Smart chip credit cards and terminals work together to protect in-store payments. These in-store security advances were introduced in 2015, and have pushed malicious actors who possess stolen credit card data to perform payment card fraud online. Because online retailers cannot utilize all of the benefits of improved credit card technology, they should consider implementing stronger authentication to reduce the risk of electronic commerce (e-commerce) fraud.

In collaboration with stakeholders in the retail sector, the NCCoE published a practice guide that explores risk-based scenarios to trigger the use of multifactor authentication (MFA) to help reduce fraudulent online purchases. In the project’s example implementations, if certain risk elements (contextual data related to the transaction) are exceeded that could indicate an increased likelihood of fraudulent activity during the online shopping session, the purchaser will be prompted to present another distinct authentication factor—something the purchaser has—in addition to the username and password.

The NCCoE released a final version of NIST Special Publication (SP) 1800-17 Multifactor Authentication for E-Commerce on July 30, 2019.