Topics about PIV implementation and research.

PIV Card Logon With An IdenTrust Certificate

PIV standardization has made it much easier to secure a domain with smart cards, requiring only a few configuration steps without any additional software. The goal of this article is to show the configuration steps so corporations can understand what it takes and even test PIV cards in their environment first hand.

How to Add Biometrics To Your Corporate PIV Card Issuance Process

Now that numerous enterprises have implemented corporate PIV cards (PIV-C) for multi-factor authentication needs, they want to get even more security from PIV by adding biometric components to their PIV cards. This blog will provide a guide for adding biometrics to an existing PIV-C issuance system as well guidance for implementing a biometric program in new environments

 

Agenda

This blog will help you add a biometric capability to your enterprise. It describes:

  1. Benefits of Biometrics
  2. What you will need
  3. Implementation Steps

Benefits of Biometrics

Biometrics are mainstream. Not just because of the awareness of the new mobility platforms that leverage biometrics (iPhone, Droid, Surface Pro), but also because of a range of security and basic economic factors. Thanks to the spectacular biometric standardization work of NIST, biometric capture and usage processes and interfaces have been standardized so that biometric data is compatible across multiple vendor platforms. This interoperability allows the enterprise to hot swap different biometric devices depending on their business need. Another benefit of standardization is the increased competition in the marketplace which has normalized prices. In the last few years, the prices for biometric hardware has dropped dramatically. In the early 2010’s biometric capture devices cost over $10,000. Now they can be purchased for under $1,000 making biometric technology much more affordable and realistic for enterprises.

Security

In terms of multi-factor authentication, biometrics add another factor. The security implications of this new factor are spectacular. Now to use a person’s credential, they must 1) physically possess the card, 2) know the PIN code, 3) present the fingerprint and/or Iris scan.  Think about what this means in realistic terms. The attacker would have to steal the card, guess the card’s PIN, and then present the correct biometric to access a system protected by PIV Card authentication. Given these multiple layers of control, it is impossible for someone to successfully use some else’s PIV card for authentication. *Now I know it is possible for the two people to collude so a PIV card could surreptitiously be used by multiple people. But if all controls are in place, a tripled multi-factor authentication scheme is extremely secure.

Operational Efficiencies

With added security and trust, the enterprise can replace human based labor-intensive verification processes with secure, automated machine based transactions. Even in the PIV Card personalization process, if the user verifies their identity with a fingerprint, they can load their card without the need to be visually verified by a security or issuance operator. This means the user can load their card from their house, office or even kiosk at a time that convenient for them. No more wasted time in traffic just to encode their PIV card.

What you will need

Updated Privacy Policy

A sometimes overlooked, but critical element is the enterprise privacy policy. The policy should clearly state what will be done with the biometrics, who can access, how long it will be stored, and how it is secured. NIST has published a guide for protecting personally identifiable information (PII) that can help you enhance your privacy policy for biometric data (https://www.nist.gov/publications/guide-protecting-personally-identifiable-information)

Issuance Model Refinement

The credential issuance process will need to be updated to include the enrollment of biometric data. The great thing about PIV-C is the flexibility of where biometrics can be captured in the process.

Options for biometric collection

  • Enrollment phase: Biometrics are acquired before the user has been adjudicated, usually during the photo or identity document capture phase. The advance of capturing the biometric data in this phase is the biometrics can be used in later credentialing phases in a manner to optimize the entire credentialing process. For example, a user can use their fingerprint to verify their identity so that they obtain their credential using a self-service kiosk.
  • Credential pre-issuance: This has occurred after the enrollment phase, but right before the credential is encoded. The advantage of this model is biometric can be captured on demand just before the credential is loaded and given to the user.
  • Credential post-issuance: Occurs after the credential has been issued and the user already has the credential in hand. The advantage of this model is it allows the enterprise to add biometric capabilities after the card has already been issued.

Biometric Capture Training

Another often overlooked element is training. The key to being able to use biometrics after they are enrolled is quality. Therefore, enrollment officials should undergo training to ensure they do everything possible to capture the best biometric sample. Training elements should include:

  • Proper hardware cleaning: It is critical that the biometric capture device is cleaned after each use to ensure the highest quality of fingerprint be taken. The Suprema RS-D and G10 capture surface can be cleaned using basic sanitary wipe. *Note please check with your biometric manufacturer before performing any cleaning activities as some biometric hardware requires specialized cleaning materials. Therefore, the enrollment officer should be trained to clean the hardware device properly.
  • Hardware and user positioning: Equally as important as device cleanliness is the positioning of the fingers or IRIS capture camera when the user’s biometrics are being acquired. The enrollment official should show the user how to best position their fingers during the capture phase. If using an IRIS capture camera, extra care should be taken to ensure the user’s eyes are aligned properly with the IRIS capture device.
  • Software scoring feedback: Modern biometric enrollment systems provide a score quality after the biometric is acquired. The enrollment officer should be trained on the acceptable thresholds.
  • Testing and validation: The biometric system should be set up to force the enrollment officer to test the biometrics that were captured. For example, after the biometric acquisition, the user then scans their biometric to be matched with the sample that was enrolled to simulate the verification process. If this testing fails, the enrollment officer should be trained to recapture the biometrics and perform the testing process again until the validation is successful.
  • Fail to capture scenarios: Capturing usable biometrics from users is sometimes challenging or impossible. In these cases, the enrollment officer should be taught to recognize the cases where biometrics cannot be captured and instructed on how to properly document the reason why.

Biometric Technologies

Biometric hardware

The elements are the hardware that physically acquires the biometric data from the user.

Biometric modality options

  1. Fingerprint: The Suprema RS-D two print capture device provides a fast and portable means to capture fingerprints. This hardware is very easy to maintain and offers built-in scoring and segmentation features to make the entire fingerprint capture process fast.

realscand-mainbanner.jpg

  1. IRIS: The ICAM TD100 IRIS capture device is lightweight and allows for extremely advanced acquisition of IRIS biometrics.

iCAM_TD100_main.jpg

IDMS/Enrollment software

The enrollment software guides the operator through the biometric acquisition process. It works with the biometric hardware to capture, segment and score the biometric data. Once complete, it provides a way to securely transmit the biometric data to the Credential Management System (CMS) where it will be encoded onto the user’s credential.

image-2.png

Credential Management System (CMS)

The CMS is responsible for taking the biometric data and encoding it in the PIV Card. The biometric data acquired during the enrollment process will be sent to the card via the CMS.

image-3.png

 

PIV-Compliant Smart Card Credential

The PIV Card is the final data storage location for the biometric data. All PIV certified cards have a storage location for biometric data. The CMS will inject the biometric data into the card where it can be used later for verification.

image-4.png

Implementation Steps

1) Publish the updated privacy policy

Ensure the latest of the privacy policy is published to a location where all people receiving a credential can access it.

2) Document the issuance model

Determine where in the process the biometric data will be acquired. From here, update the issuance flow processes, procedures, and training materials.

3) Perform enrollment officer training

Provide training courses for enrollment officers. Ensure each officer has been given the adequate knowledge for ensuring biometric data is captured in accordance with enterprise policies.

4) Install and configure the technologies

  1. Configure the CMS card policy to include biometrics
  2. Install the biometric hardware and enrollment suite
  3. Link the biometric platform to the CMS
  4. Configure the biometric enrollment policies
  5. Perform the biometric enrollment
  6. Encode the credential

Conclusion

Biometrics add a level of security that can truly help organizations withstand the latest cyber-attacks and even can add operational efficiencies when planned properly. If you have an existing PIV-C issuance platform or even starting from scratch, adding biometrics can be simple and is well worth the investment. If you have wanted to know more about how biometrics or even PIV-C can be implemented in your enterprise, go here. If you want to see a virtual demonstration, send us an email to sales@cyberarmed.com.

Certificate Validation Speed Considerations for Mobile and Derived Credentials

As the popularity of mobile credentials grows and more users adopt it within the organization, IT managers should consider an important usability aspect…certificate validation speed and availability. In this blog, we will discuss what it takes to ensure mobile device certification validation is fast and scalable to handle the ever growing needs of mobile based certificate validation.

Agenda

This blog will help you learn how to build a fast and resilient credential validation infrastructure. It desribes:

  1. Basics of certificate validation
  2. Impacts of mobile device certificate validation
  3. Considerations for adding speed and resiliency

Basics of Certificate Validation

To understand ways to improve certificate speed, we need to understand the process of how certificate validation works. To ensure a certificate is valid and has not been revoked, the certificate is electronically checked against a file known as a Certificate Revocation List (CRL) each time it is used. This is very important but can be a timely process.  This CRL contains all certificate information (in this case, the certificate information) that have been revoked. If the certificate information is on this list, then the certificate is deemed to be revoked and the certificate cannot be used.

blog pic 1.png

To obtain the CRL information, the computer that is verifying the card performs what is known as a certificate validation process. During this process, the CRL is downloaded from the Certificate Authority (CA) and then the certificate is checked against the CRL file to determine whether the certificate is in good standing. If the certificate is in good standing, then the transaction can occur.

blog pic 2.png

Drawbacks of CRL Validation

Although the CRL validation technique works to validate the card, it is very slow and is prone to a single point of failure. This is due to the size of the CRL and the fact that each computer must download a fresh copy of the CRL list.

blog pic 3.png

In enterprise environments, this leads to very slow validation times and outages. When this occurs, the end users cannot use their certificate for authentication…which leads to the end user being locked out of their computer. This can quickly become a huge problem for the enterprise.

blog pic 4.png

Impacts of Mobile Device Certificate Validation

The biggest impact has to do with the number of certificates that now must be validated by the enterprise. As we will see below, there are numerous factors that could drastically change the validation requests that occur in the enterprise during typical work day.

1 Person – many devices

Think of how many devices you own? I know personally, I have two laptops, one phone, and one tablet. Some people have two phones, two laptops and a tablet or two. Now, multiply the number of devices by the employees, partners and external users across the enterprise. That’s a lot of devices that will need be validated if a person wants to use their certificate on any of their devices. This drastic increase in validation transactions can bring a traditional validation architecture to a halt.

Upgrade cycle

Each year, the mobile device vendors create a better phone, tablet or ultra cool laptop than the year before…encouraging the end user to upgrade their multiple devices. Because of this upgrade cycle, users are constantly getting new devices which require new certificates… which as you can imagine is doubling the amount of certificates that are being generated and revoked which causes your CRL to grow and grow which makes the validation slower and slower.

1 Certificate – multiple devices

With new certifiate synchoronization technologies, a user’s certificate on one device can be syncronized other devices. This occurs when a user wants to read an encrypted email on their laptop and smart phone. Although this makes it easier to check your secure email on any device you own, it also increases the validation workload because now the certificate is being used in multiple places.

Considerations for Adding Speed and Resiliency

To overcome the limitations of the CRL Validation technique, a technology known as Online Certificate Status Protocol (OCSP) was developed. With OCSP, the CRL list is replaced with a micro file, known as an OCSP response that only contains the information for one card. This greatly streamlines the PIV validation process for the computer and network since now only a very small file is downloaded and processed.

ocsp.blogpic.5.png

The OCSP architecture is significantly faster since each workstation only downloads the micro file (OCSP Response). Additionally, the enterprise is no longer vulnerable to a single point of failure since the OCSP technology can be distributed to different areas of the enterprise.

blog pic 6.png

Benefits

  • Faster transactions- Using the micro file OCSP technology, certificates can be validated instantaneously whereas the CRL Validation technique could take minutes (or longer) and consume large amounts of network bandwidth.
  • “Always there” validation-With CRL Validation, a single point of failure exists. For example, if the network is interrupted and CRL list cannot be downloaded, then all of the computers needing the list will fail to validate the PIV card. This could result in locking end users out of their computers for hours. With OCSP technology, the validation elements can be distributed throughout the environment so the computers have the ability to validate against different servers thus providing “always there” validation.
  • Scalable- The distributed design of OCSP technology enables enterprises to finely tune and optimize their PIV validation capability. For example, as their PIV Card user base grows, they can add more OCSP processing power with additional OCSP servers.

Implementation Approaches

Adding speed and resiliency has been made much easier thanks to the adoption of OCSP by many software vendors. For example, Apple and Microsoft now provide OCSP clients in their operating systems out of the box. Enterprises also now have easy to deploy options to immediately add OCSP power to their internal networks. For example, the HID ActivID Validation Authority  implements OCSP and other fast validation protocols and is easy to install as a hardware device or as software.

Conclusion

It is clear that the NIST Derived Credential publications, industry support for Virtual Smart Cards and general need for strong MFA will continue to drive the need for PKI on mobile devices. Enterprises must be ready for this growth to ensure the validation architecture continues to be as robost and fast as possible.

How PIV-C Strengthens Physical Access Control Systems

In addition to providing tremendous multi-factor authentication (MFA) security for cyber resources, the PIV-C card also can serve multiple duties to allow a user to use it to authenticate to physical resources such a doors, garages and turnstiles. This blog explores the threats to traditional physical access control systems (PACS), and how new PIV-C security features mitigate many vulnerabilities.

Threats to modern PACS

There are numerous ways PACS can be exploited. Possible attack vectors include identifier collisions, revoked PIV Cards, visual counterfeiting, skimming, sniffing, social engineering, electronic cloning, and electronic counterfeiting. These methods of attack, as well as others, are discussed below. [see NIST SP 800-116, pg.5-8]

Identifier collisions During the issuance process the unique identifier is created, if the unique identifier is ever modified, hashed, or compressed the information could be lost. And if the information is lost from unique identifier before it reaches the access control list (ACL) entries, multiple cards may generate the same reduced identifier. This creates identifier collision. In summary, this means that multiple PIV cards will appear to have the same identity ultimately resulting in the cards having same access privileges.
Revoked PIV Cards After the PIV cards are revoked, which is very common the card might still continue to have access to physical locations. In order to avoid this situation, the regular check for revocation should be performed using either OCSP or CRL on the PIV Authentication certificate or the card authentication certificate. Credential validation is required by FIPS201 for all PIV authentication mechanisms, however, validation of the cardholder unique identifier (CHUID) and biometric credentials do not include a revocation checkPACS relies on the CHUID authentication mechanism, therefore it will continue to accept the CHUID until the user is de-authorized in each of those systems. PACS also store the cache of PIV cards, which means if the cache is not refreshed the revoked card will still appear to be valid.
Visual counterfeiting PIV cards sometimes are visually inspected by security guard to gain access to restricted areas. A PIV card can be duplicated with the same appearance as the original one. The only difference might be that the counterfeit one does not have the same electronic behavior as the actual PIV card. A PIV replica can be easily created by photocopy or photoshop and printed on a blank card. Those cards are unlikely to pass close examination by trained security but they might just pass if they use a method of “flash passes” walking by the security.
Skimming Each contactless PIV card can be skimmed with PIV card reader with as little distance as 25 cm away. The range is restricted due to the requirement by the skimmer to supply power to the PIV card by inductive coupling. The concealed skimmer can obtain free-read data from the PIV card via the antenna. Virtual contact interface (VCI), allows all the data on PIV card that is not protected by the PIN to be read once the connection is established. If agencies deploy PIV cards that support VCI without additional pairing code, the data is not protected by the PIN and therefore vulnerable to skimming.
Sniffing A sniffer is a passive receiver that does not supply power to the smart card and it can operate at greater distances compared to skimmers. When a user presents PIV card to the reader at access point the reader supplies power to the PIV card and at that moment the communication between the reader and card is established using radio frequency, at that moment sniffers use their readers to sniff cards information using RF receiver.
Electronic Cloning After a successful attack on PIV card (skimming, sniffing, or social engineering), the attacker possesses vital data that can be cloned onto a blank PIV card. The certificates and CHUID retain signatures and are valid if the original card is valid. One thing is for sure that the attackers cannot copy the private or secret keys needed for cryptographic authentication methods. Therefore, the attackers are able to clone a PIV card with CHUID authentication but will not succeed cloning a PIV card with PKI-CAK or PKI-AUTH authentication methods.
Electronic Counterfeiting Constructed battery-powered device with a microprocessor capable of generating and testing CHUIDs repetitively against a PACS reader. The device changes the FASC-N credential identifier on each trial to obtain CHUIDs authentication mechanism. This method will only be successful if there are no signature verification in the CHUID processing done by the reader.

PIV-C Security Features

Thankfully, NIST has conducted extensive security research in the aforementioned PACS threats and have developed standardized guidance for strong authentication protocols. In order to keep PIV cards as secure as possible, the PACS application is designed to perform the variation of authentication steps to keep the security to its highest potential. The authentication process is based on one, two, or three of these factors [see NIST SP 800-116, pg. 18]:

  1. “something you have,” for example, possession of the PIV Card;
  2. “something you know,” for example, knowledge of the PIN;
  3. “something you are” for example, presentation of live fingerprints or irises by a cardholder.

PIV authentication mechanisms operate in several different ways. CHUID authentication mechanism operates by reading PIV card object data and verifies its signature. A private key on the PIV Card may be used to sign a challenge or a live biometric test can be performed to verify authenticity.

Another way the PIV card verifies the authenticity is the PIV card itself, the card verifies the PIN or fingerprint as part of the trust in a valid PIV card. The more steps it takes to authenticate the PIV card the more trustworthy it becomes. Many different combinations of authentication are possible with the PIV card.

In order for the PIV card and readers establish a connection and exchange information the access point in a PACS needs to support at least one PIV authentication mechanisms that are supported by all PIV cards. As for now only PKI-AUTH (PIV card +PIN) and CHUID + VIS are currently supported by all PIV cards.

Authentication using PIV VIS (Visual Credentials) Visual authentication involves trained staff to examine the PIV Cards topographical features. This method is really looked down upon due to its little or no confidence in the identity of the cardholder. This process requires a human to perform checks on the card which a lot of the times depends on the training that the person checking the IDs went through.
Authentication using CHUID (Cardholder Unique Identifier) One of the mandatory data objects on PIV cards. Contains two data elements, FASC-N and UUID for unique identification of the card. The data on CHUID is signed by the issuer so any alterations or modifications will be detected. And if the CHUID is expired, or failed signature and path verification is found the card no longer has access. CHUID is a free read object and it can be read or cloned easily.
Authentication with the card Authentication Certificate (PKI-CAK) Asymmetric card authentication key is one of two mandatory asymmetric authentication keys present on the PIV card. The purpose of PKI-CAK is to authenticate the card, therefore, the user. It is highly resistant to cloning since cloning would require to obtaining the private key. It also has protection against revoked cars as access will get denied if the certificate validation indicates that the certification has been revoked. Also, failed signature verification or path validation results in a failed attempt and does not give access to the cardholder.
Authentication with the Symmetric Card Authentication Key (SYM-CAK) Similar to PKI-CAK, except it uses the optional symmetric card authentication key to authenticate the card and it does not provide protection against revoked cards. Only compatible with authenticating PIV cards issued by the same agency as the PACS.
Unattended Authentication Using Off-Card Biometric Comparison (BIO) Using off-card biometric authentication using the fingerprints or iris image stored on the PIV card. The biometric on the PIV card is signed by the issuer, so the authenticity of the biometric can be checked by the PACS. Unfortunately, a biometric template could be placed on a blank card and result in successful one-factor authentication.
Attended Authentication Using Off-Card Biometric Comparison (BIO-A) Same as BIO but this is supervised by an individual. This eliminates (hopefully) the suspicion of fake id card, fake or synthetic fingerprints and the insertion of the PIN. Therefore BIO-A is considered two-factor authentication mechanism.
Authentication with the PIV Authentication Certificate (PKI-AUTH)  An Asymmetric key is mandatory on the PIV card. PACS performs public key cryptography-based authentication with the PIV authentication key uses the PKI-AUTH Authentication mechanism. Requires two-step authentications; card and PIN or biometrics for successful authentication of the card. PKI-AUTH requires validation of the certificate. Protects from revoked, or modified certificates.
Authentication Using On-Card Biometric Comparison (OCC-AUTH) On-card biometric comparison (OCC) may be implemented on the PIV card. The data on the card cannot be read but can be used to authenticate the cardholder.

OCC-AUTH performs over secure connection thanks to PACS. Provides two-factor authentication. Highly resistant to cloning, but lacks protection against revoked cards.

Security is extremely important when dealing with sensitive data, this is why NIST performs extensive research to help reduce the risks when it comes to PACS and PIV security.

The sprint is over…now the marathon begins

By now, agencies have finished their cyber security sprint and are in the midst of their retrospective. Undoubtedly this initiative has provided much needed focus to help fortify some of the most critical elements of IT infrastructure. If all went as planned, organizations have started to close obvious security vulnerabilities by; 1) enforcing multi-factor authentication (MFA) for computer access 2) digitally signing messages to prevent the spread of malicious code via email 3) encrypting data for resource protection.

But where do we go from here? How do we continue the MFA and data loss protection (DLP) practices started in the sprint phase, and continue to improve security across the organization for the long term? How do we do this effectively without losing productivity, doubling operational expenditures and frustrating our users? How do we continue this momentum to make meaningful, long term change that is not undone by the next system upgrade?

This article explores ways to continue to mature security architectures with the support of PIV technologies. Specifically, we cover techniques to help accelerate the adoption of PIV amongst users so that security architects can employ PIV in more areas of their infrastructure for improved identification and authentication services.

Why focus on PIV?

Given the broad scope of security, how does PIV help in a larger strategic context? In other words, why focus on PIV and not something else? The answer is that all of the successful attacks have one thing in common…the attacker was able to successfully digitally impersonate a high powered user to give them unfettered access to critical IT resources. Each time, this was a direct result of a stolen credential.

With PIV based authentication, the underlying trust and technology frameworks makes these traditional credential theft attacks impossible. The security controls of the identity proofing process, tamperproof cryptographic features combined with the multi-factor services prevents adversaries from remotely stealing and utilizing PIV credentials. Below are some features that eliminate the common credential threat vectors:

  • Level of Assurance 4: This is the highest level of assurance possible. This means that the person holding the PIV credential has been verified in person, had a background check and has been issued an advanced cryptographic token with tamperproof features.
  • Multi-Factor Authentication (MFA): In order to use the PIV credential, the credential holder must possess knowledge of the PIN and the physically possess token. And even in some cases, must provide their biometric for additional identity verification. So unlike a password that can be stolen from a database and used without any other factors, a stolen PIV credential is useless without all the factors necessary to perform the authentication transaction.
  • Hot listing: Unlike a password that can be stolen without the user’s knowledge, when a PIV credential is stolen or lost, the user knows because they do not physically possess the credential. They can then report the credential stolen or lost where the credential is then placed on a revocation list that prevents it from being used.

Sounds great, but we have tried PIV before…

PIV has been around for a decade. For years, numerous organizations have attempted to integrate PIV credentials to strengthen their processes, but with little success. Although the cost of the technology decreased, and more technology vendors added out of the box support for PIV, user adoption has remained low and the PIV credential has never been fully utilized to reach its potential.

But why don’t users like PIV?

Based on years of working directly with users as they attempt to use PIV, the dislike of PIV can be attributed to two fundamental factors 1) usability and 2) perceived usefulness. Let’s explore these two factors.

USABILITY

It sounds so simple…just insert the PIV credential into a reader and type in your PIN. However, the simplicity associated with this statement is extremely deceiving and has derailed numerous well intentioned PIV integration plans. Many times, security managers just assume the user will know how to perform this action without proper training or instruction. Thus, when things do not work properly, the user becomes frustrated and develops a dislike for the technology. Compounding this problem is poor software design that is needlessly confusing and prone to unrecoverable failures that drastically increase the authentication burden and reduce productivity.

PERCEIVED USEFULNESS

Many of the users we have interviewed think their PIV credential is just a new ID badge used to gain access into their building. They did not know that the credential can also be used as a way to access their computers, protect messages or digitally sign documents. More importantly, they did not realize that their PIV credential can help protect their organization against hackers. Once we explained that the PIV credential can be one of the most effective ways to protect their digital identity and information, their desire to use the technology drastically increased.

Times (and PIV technologies) have changed

Thankfully in only the past few months, we have seen drastic changes and improvements in the management and usability features of PIV that eliminate many of the frustrations currently experienced by users. New technologies have been developed and standards have been refined to make PIV much more user friendly and practical. Even private industry has realized the power of the PIV security specifications and have built in native support for PIV in their products. Finally improved NIST standards have recognized the need for better usability and provided improved specifications for:

Mobile compatibility: New standards enable the user’s PIV card to be synchronized with their mobile device so they can easily employ PIV MFA and data protection controls on whatever platform they choose without needing a card reader.

Biometric flexibility: New standards, algorithms and privacy controls allow users to easily use their fingerprints to both strengthen and accelerate the authentication process.

Speed: New cryptographic algorithms and PIV card platforms have almost doubled the speed of a typical security transaction. Now the end user can authenticate and encrypt within seconds.

Self-service credential management: New software suites allow the user to securely manage their PIV credential from the convenience of their desk or home, thus eliminating the frustrations and productivity loss associated with travel.

The key to a sustainable security strategy – focus on user experience

With these PIV refinements, integration and usage of PIV credential technologies are much easier to achieve and maintain thus making an implementation of MFA and DLP technologies enterprise wide much more feasible and realistic. However, to achieve meaningful PIV adoption amongst users, frustrations must be replaced with productivity enhancements to make the user actually want to use their PIV credential. The seven steps below provides both fundamental and advanced guidance to make PIV much more valuable for the user.

Step Description
1. Provide user education One of the most effective (and most overlooked) actions to accelerate PIV adoption is to provide user training focused on 1) what the purpose of the PIV credential is, 2) how to properly use it, and 3) how to maintain it. One of the biggest barriers to large scale adoption is the user simply does not know what the PIV credential is or what it can do to protect their agency. When they realize how the new PIV credential can protect their digital identity and their agency, plus they are given basic training on usage, they are much more motivated to use the credential and adopt the technology.
2. Streamline delivery and maintenance New instant credential issuance models, secure self-service desktop software and faster technologies can dramatically reduce the burden on the end user to obtain a PIV credential. Users can now receive a credential immediately without requiring multiple visits to the security office or even perform credential maintenance from their desk to completely eliminate the need for travel.
3. Simplify the authentication experience New standards for biometrics and contactless security transactions can drastically reduce the authentication burden for the end user. For example, with the on card comparison biometric feature, users simply use their finger for authentication and do not have to enter a PIN. With the new contactless feature, the user does not need to insert the credential into a reader, but can just be in proximity of their computer to perform authentication.
4. Automate protection settings Various infrastructure configurations for authentication, email signing and data encryption can be configured in a manner that completely automates the security transaction for the end user. For example, active directory and outlook can be configured to automatically use the PIV credential for computer logon and email encryption without requiring the user to take any further action.
5. Synch with their mobile devices New specifications and technologies can enable users to synchronize their PIV card with the mobile device. Now the user can continue to apply the same PIV security controls on their mobile device as they do on their desktop platforms. For example, they can access a PIV secured web site from their mobile device without requiring them to boot up their laptop and insert their card.
6. Require less authentication Along with the new PIV credential specifications, numerous new authentication protocols are available to enable the user to authenticate one time for access to different systems. Based on our experience, eliminating even one additional log in requirement for the user significantly improves their experience and further drives PIV adoption.
7. Provide a credential replacement process Once users have become dependent on PIV technology, they must have a way to easily obtain a replacement if they lose or damage their credential. Additionally, when systems have been fortified to only use PIV credentials, it is bad practice to have to downgrade the security control to accept passwords simply because the user forgot their card. Therefore, have a plan so that the end user can instantly receive a temporary or replacement credential so they can continue to use PIV credentials regardless of the scenario.

Conditions for success

Like running a marathon, meaningful security requires strategic planning, disciplined execution and most importantly, creating the conditions for success. The new features of PIV allow security architects to design and build vastly improved user experiences using security technologies. This combination provides the necessary environment and conditions to implement a long term security strategy capable of withstanding both the dynamic security threats of both today and tomorrow.