By Brett McDowell, executive director of the FIDO Alliance, with Paul Grassi, senior standards and technology advisor, NIST
The proliferation of mobile devices leaves U.S. government agencies with a tough balancing act between security, usability and effectively performing their missions. How can they accommodate an increasingly mobile workforce that wants to use all of their devices to access online services, while adhering to a plethora of security policies and directives?
To answer the call, the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) have provided agencies with exceptional options, such as derived PIV credentials (guidelines for which are outlined in NIST SP 800-157). Derived PIV credentials allow the issuance of PKI credentials, based on having a PIV smart card (and being identity-proofed prior to obtaining a PIV) on users’ mobile devices, giving them secure and flexible options to access critical apps and information.
However, deployment of these secure mobile authentication options has not matched demand. We still aren’t seeing wide deployment of mobile credentials that meet NIST guidelines and the risk profiles of agencies. In addition, the U.S. government has not consistently adopted the biometric capabilities built into most mobile device platforms as the private sector has.
There’s good news for government – FIDO authentication standards, and the devices with FIDO capability built-in, provide additional options to help agencies go mobile while staying secure and adhering to important standards and guidelines.
Going Mobile with FIDO: Usable, Secure and Private
The FIDO Alliance is improving online authentication by developing open, interoperable industry specifications that leverage device-based user verification for better usability and proven public key cryptography for stronger security. With FIDO, agencies don’t have to sacrifice usability and efficiency to obtain strong authentication for mobile access to online services.
For better usability, FIDO standards support a range of interoperable authentication factors and modalities, including biometrics built into many mobile devices today for strong authentication. For example, with FIDO, the user need only touch something (fingerprint sensor) or look at something (iris or facial recognition) on their mobile device to securely access apps and data. While these examples use biometrics, there are other non-biometric modalities supported that are still interoperable – such as a security token using Near Field Communication (NFC) – should a portion of the workforce not choose a biometric option.
There is already a rich set of products ready for FIDO deployment – more than 150 products have been tested and FIDO Certified from over 60 different companies, including leading mobile device manufacturers such as Samsung, Lenovo, Sony and LG. This is thanks to the FIDO certification program, which ensures different FIDO implementations interoperate with each other on a technical level and that the technical specifications are adhered to.
To match the usability with the required strong authentication needed in government, FIDO standards utilize industry standard, tested and vetted cryptographic algorithms and security mechanisms in significant use by the public and private sectors. With FIDO, you can achieve the security benefits of public key cryptography without the traditional and costly certificate authority (CA) model. In other words, it’s public key without the “infrastructure.” Additionally, if a biometric authenticator is your choice, rest assured, FIDO mandates that the biometric NEVER leaves the device, increasing privacy and security by effectively limiting the chance of a massive breach of credentials.
How FIDO Registration Works
As detailed in the image above, registration is completed as follows:
- User is prompted to choose an available FIDO authenticator that matches the online service’s acceptance policy.
- User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN or other method.
- User’s device creates a new public/private key pair unique for the local device, online service and user’s account.
- Public key is sent to the online service and associated with the user’s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device.
How FIDO Fits In: Government Use Cases
FIDO is an excellent option for any use case in which government agencies need to provide simple, fast and secure multi-factor, mobile-based authentication to digital services. Some opportunities in federal and local governments for access to government applications include:
- Derived PIV credentials
- Public safety and first responder credentials
- Emergency communications personnel credentials
- International partner credentials
- Business partner credentials
- Citizen or beneficiary access to government services
- Credentials for contractors and employees that aren’t eligible for a PIV but need secure access to online services
- Physical access control applications, i.e. using FIDO along with NFC on a mobile device
FIDO can provide the necessary usability, security, privacy and utility for all of these use cases, while helping government agencies meet security policies and directives including:
- OMB M-04-04. FIDO specifications can be implemented on platforms that support all of the levels of assurance defined in OMB M-04-04. FIDO provides one unified specification; government agencies can support FIDO-based authenticators across a range of levels of assurance (LOA) while deploying a single server-side infrastructure that supports any client-side device.
- NIST SP 800-63-2 Electronic Authentication Guidelines. With FIDO, agencies can comply with a host of token types defined in 800-63-2. In addition, FIDO authenticators that use biometrics meet the requirements of the NIST 800-63-2 Electronic Authentication Guidelines because FIDO credentials are used locally only to unlock a strong cryptographic key, and the biometric sample and template never leave the device.
- NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials. FIDO authentication standards meet most of the technical requirements of NIST 800-157, and the workflow specified in 800-157 does not need to be modified to support a FIDO-compliant derived PIV credential. The only difference between a FIDO-compliant solution and the specifications within SP 800-157 is the usage of PKI.
Looking deeper at FIDO for derived PIV credentials, most of the challenges associated with such a deployment will be associated with business process, not technology. Specifically, agencies will need to define workflow that allows a user to associate a FIDO authenticator, specifically the public/private key pair, to their enterprise digital identity – just like they would for a PKI certificate. Due to the way that FIDO creates public/private key pairs in support of privacy, the agency would need to invoke the key generation process as part of an overarching identity and access management framework to ensure the public key is used for all FIDO-compliant applications, e.g. mobile applications.
In this example, the issuing entity would serve as the identity provider and the public key would need to be registered with the digital identity record of the user. From that point on, the user can use the FIDO derived PIV credential. With this type of approach, a FIDO derived PIV credential can operate in parallel and with no disruption to existing PIV- and PKI-based solutions.
FIDO for Citizens, Too
FIDO’s combination of usability, security and privacy also makes it a good option for citizen access to government online services. For citizen-facing services, EO 13681 requires agencies that make personal data available online to utilize two-factor authentication. With FIDO, agencies can meet this requirement by allowing citizens to “bring their own authenticator,” thus allowing them to use their FIDO-compliant mobile device or desktop browser to simply and strongly authenticate themselves to government services such as filing taxes, managing social security benefits, applying for student loans or submitting health insurance claims. This is not only a win for the citizen – they use what they like and already have to securely authenticate to government services. This is a win for the government too, as they don’t need to issue specialized credentials just to offer secure, privacy-enhancing multi-factor authentication for the services they provide.
For agencies looking to optimize security, usability, privacy, and effectively perform their missions, deploying mobile authentication for access to online services can be achieved without reinventing the wheel. FIDO’s open, interoperable industry specifications can help them obtain the best of all worlds – device-based user authentication for better usability and proven public key cryptography for stronger security and privacy.