March 14, 2017

Extending the PKI Security Model with FIDO Authentication Standards

Last December, the U.S. Commission on Enhancing National Cybersecurity laid out “an ambitious but important goal” for the incoming presidential administration: “to see no major breaches by 2021 in which identity—especially the use of passwords—is the primary vector of attack.”[1]

Pursuant to this effort, the Commission recommended that all agencies be required to use strong authentication across all government systems. Further, they pointed out that the tools used to fulfill this requirement should not be limited to the government’s PKI-based Personal Identity Verification (PIV) credentials. Instead, the Commission recommended that the requirements for authentication “should be made performance based (i.e., strong) so they include other (i.e., non-PIV) forms of authentication.”

The FIDO Alliance is pleased to release a new white paper in support of the Commission’s recommendations. Titled Leveraging FIDO Standards to Extend the PKI Security Model in United States Government Agencies,” the paper discusses how FIDO solutions are used to enhance cybersecurity within the government environment and act as a complement to traditional PKI. The paper was developed by FIDO’s Public Policy and Privacy Working Group (P3WG).

As the paper details, the benefits of a FIDO-inclusive approach are to offer additional authentication solutions that are easier to use and easier to integrate with legacy applications. These solutions, however, still retain the core security associated with asymmetric public key cryptography

  • For example, much as the Derived PIV Credential (DPC) program allows for a separate PKI certificate to be issued by proving possession of a PIV Card, the DPC workflow specified in NIST 800-157 can be used to issue a FIDO public/private key pair, linked to the same identity record associated with the  PIV card. The primary difference is that the key pair is not part of a “full” public key infrastructure, but rather a “lightweight” key pair.
  • Moreover, for people in the government ecosystem that are not required to get a PIV, FIDO offers an alternative that is cheaper to issue and maintain and easy to use. This ensures that individuals have at least some sort of strong authentication based on public key cryptography.

The new paper makes clear that PIV remains the gold-standard for authentication in the U.S. government, and will remain a core component of the federal enterprise. But as agencies strive to achieve the Commission’s recommendations, an approach that augments PIV solutions with FIDO can improve cyber hygiene across the Federal enterprise and help the U.S. to more effectively secure digital assets.

Eliminating password-based breaches by 2021 is an ambitious goal, but it’s not one that is impossible. With more than 300 FIDO® Certified products, the United States and other governments around the world can look to the growing ecosystem of FIDO solutions to deliver simpler, stronger authentication.

>>Download the white paper

[1] See the Commission on Enhancing National Cybersecurity’s Report on Securing and Growing the Digital Economy, available at

MORE Building the Business Case

The Value of Certification

Hear from FIDO’s Dr. Rae Rivera about the value of...

October 26, 2021

White Paper: Choosing FIDO Authenticators for Enterprise Use Cases

Secure access to online applications and services has evolved into...

September 21, 2021

World’s Largest Tech Companies Drive FIDO Alliance’s New User Experience Guidelines

By Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO...

June 23, 2021

FIDO Recognition for European Digital Identity Systems and eIDAS Grows

Contributed by Sebastian Elfors, Senior Solutions Architect, Yubico Recognition of...

March 29, 2021
Download Authn Specs
Sign up for updates!Get news from FIDO Alliance in your inbox.

By submitting this form, you are consenting to receive communications from: FIDO Alliance, 3855 SW 153rd Drive, Beaverton, OR 97003, US, You can revoke your consent to receive emails at any time by using the unsubscribe link found at the bottom of every email.