Last December, the U.S. Commission on Enhancing National Cybersecurity laid out “an ambitious but important goal” for the incoming presidential administration: “to see no major breaches by 2021 in which identity—especially the use of passwords—is the primary vector of attack.”[1]
Pursuant to this effort, the Commission recommended that all agencies be required to use strong authentication across all government systems. Further, they pointed out that the tools used to fulfill this requirement should not be limited to the government’s PKI-based Personal Identity Verification (PIV) credentials. Instead, the Commission recommended that the requirements for authentication “should be made performance based (i.e., strong) so they include other (i.e., non-PIV) forms of authentication.”
The FIDO Alliance is pleased to release a new white paper in support of the Commission’s recommendations. Titled “Leveraging FIDO Standards to Extend the PKI Security Model in United States Government Agencies,” the paper discusses how FIDO solutions are used to enhance cybersecurity within the government environment and act as a complement to traditional PKI. The paper was developed by FIDO’s Public Policy and Privacy Working Group (P3WG).
As the paper details, the benefits of a FIDO-inclusive approach are to offer additional authentication solutions that are easier to use and easier to integrate with legacy applications. These solutions, however, still retain the core security associated with asymmetric public key cryptography
- For example, much as the Derived PIV Credential (DPC) program allows for a separate PKI certificate to be issued by proving possession of a PIV Card, the DPC workflow specified in NIST 800-157 can be used to issue a FIDO public/private key pair, linked to the same identity record associated with the PIV card. The primary difference is that the key pair is not part of a “full” public key infrastructure, but rather a “lightweight” key pair.
- Moreover, for people in the government ecosystem that are not required to get a PIV, FIDO offers an alternative that is cheaper to issue and maintain and easy to use. This ensures that individuals have at least some sort of strong authentication based on public key cryptography.
The new paper makes clear that PIV remains the gold-standard for authentication in the U.S. government, and will remain a core component of the federal enterprise. But as agencies strive to achieve the Commission’s recommendations, an approach that augments PIV solutions with FIDO can improve cyber hygiene across the Federal enterprise and help the U.S. to more effectively secure digital assets.
Eliminating password-based breaches by 2021 is an ambitious goal, but it’s not one that is impossible. With more than 300 FIDO® Certified products, the United States and other governments around the world can look to the growing ecosystem of FIDO solutions to deliver simpler, stronger authentication.
[1] See the Commission on Enhancing National Cybersecurity’s Report on Securing and Growing the Digital Economy, available at https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf
