Federal Identity Cards Must Adapt to Changing Security Environments

PIV Cards Are Compatible with Cloud-Based Web Applications

Federal IT managers who have been thinking about zero trust and how it relates to existing FICAM compliant authentication systems need to know about advances in the commercial space that may affect them.

Let’s take a few seconds to review how PIV cards work. PIV cards contain digital certificates and, more important, private keys assigned to each user.

The digital certificate, issued by some certification authority (CA) within the federal PKI tree, describes the user’s identity. The private key is used with public/private cryptography to prove that the user is in control of the PIV card and has it at the moment of authentication.

This certificate-based authentication is widely supported in most enterprise web applications, desktop and laptop operating systems, and VPN applications.

As any PIV user knows, this method of authentication is extremely resistant to credential theft, which makes it very secure.

The main issue with PIV-based authentication is that it is based on a walled garden within the federal PKI tree. This makes enrollment in PIV a cumbersome and time- consuming process, and one which is not friendly to contractors or other third parties.

PIV cards have other limitations that affect both usability and security. They are poorly supported on mobile devices, require some additional reader hardware, and the physical user must be present.

EXPLORE: How agencies are implementing zero trust and modernization.

FIDO2: If PIV Had Been Invented 20 Years Later

While PIV is dominant in the federal private infrastructure, cloud and enterprise application vendors are exploring new ways to combine the passwordless security of certificate-based authentication with other enrollment models.

The FIDO2 standards, coordinated by the Fast Identity Online (FIDO) Alliance, and their interoperability with , coordinated by the World Wide Web Consortium, are the most important new technologies to know about.

The FIDO Alliance made a big splash earlier this year when Microsoft, Apple and Google, along with the Cybersecurity and Infrastructure Security Agency, announced their commitment to pushing FIDO2 into desktop and mobile…