The National Institute of Standards and Technology (NIST) has published two draft documents for public comment that describe processes that federal employees and contractors could use to provide smart card-like authentication for access to government computer resources using mobile devices such as phones and tablets. Comments on the drafts are due April 21, 2014.
The federal government increasingly is using credit card-sized smart cards—Personal Identification Verification (PIV) cards—that employ biometric data and encryption to uniquely identify the cardholder. PIV cards are used to allow the cardholder access to government facilities or to log on to federal computer systems from desktops and laptops equipped with PIV card readers. However, in the last decade, the mobile market has skyrocketed. Employees want to use mobile devices to access work information from wherever they may be—and employers agree.
The revised Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors,* published in August 2013, provided an authentication credential for mobile devices. Now NIST is issuing a draft publication that provides the technical details for a system by which mobile device owners may add their PIV credentials to their smart phones or tablets, allowing the mobile device to take the place of the smart card for remote authentication to federal systems. Guidelines for Derived Personal Identity Verification Credentials [SP 800-157] describes how a user with a valid PIV card could obtain a derived, integrated PIV token using either hardware or software cryptographic modules.
The publication provides technical guidelines on:
- Three primary lifecycle activities for the derived PIV credential—initial issuance, maintenance and termination—and the requirements for each activity to ensure security, and
- Technical requirements for the derived PIV credential including certificate policies, cryptographic specifications, types of cryptographic implementation that are permitted and mechanisms for activation and use of the credential.
The document's primary intended audience is application and system developers and others who will be responsible for procuring, designing, implementing and managing derived PIV credentials deployments for mobile devices.
There are alternatives to derived PIV credentials integrated on a mobile device, including using separate PIV card readers or short-range, "near field" wireless links (NFC) of the sort popularized by contactless payment systems at gas stations. A second NIST publication draft, Mobile, PIV, and Authentication [NISTIR 7981], analyzes different approaches to PIV-enabled mobile devices. It points out the benefits and considerations of each approach and discusses when that approach might become available.
Guidelines for Derived Personal Identity Verification Credentials [SP 800-157] and Mobile, PIV, and Authentication [NISTIR 7981] are available at the NIST Computer Security Resource Center draft publications web site: http://csrc.nist.gov/publications/PubsDrafts.html. Spreadsheet templates for comments also are available on the CSRC site. Comments should be submitted to firstname.lastname@example.org by April 21, 2014.