Authentication systems have been in wide use for a long time. Some of the earliest authentication system include the use of a simple password that can be associated with a user for a computer. The user identifies himself and enters a password and is then given access to information that is associated properly with the individual. It is understood that different people can have different access levels.
A primary problem with this type of systems is that passwords are notoriously unreliable when it comes to security. There has been a host of other approaches to user authentication including the use of imaging software to visually identify if the person opening the computer, or the use of biometrics to identify a person (e.g., finger print, eye scan, etc.). Still further problems observed with password-based systems include catastrophic Denial of Service attacks being perpetrated by Internet of Things (IoT) botnets that exploit default passwords on everyday devices.
When there is a need for strongly vetted credentials, Public Key Infrastructure (PKI) has been effectively used. PKI provides a strong proof of identity by utilizing the following key components to its architecture:
1. Digital certificates. Digital “identities” issued by trusted third parties that identify users and machines. They may be securely stored in wallets or in directories.
2. Public and private keys. These form the basis of a PKI for secure communications, based on a secret private key and a mathematically related public key.
3. Certificate Authority (CA). Acts as a trusted, independent provider of digital certificates.
PKI can be described as a hierarchical system that can provide very strongly vetted credentials. As PKI is such a strong standard, it has been used extensively in the information security area to deliver identity authentication for multiple areas, including individuals, organizations and machines. By using Public keys that are bound to the identity and providing a mechanism to gain access to information about the organization that created the certificate and allowing the individual to control its private key, PKI provides the capabilities for any relying party application to reach back to the originating source of the identity. This hierarchical approach provides a relying party a high level of confidence on the ownership of the presented identity, which is enhanced when the originating source is a validated and trusted entity (e.g., the U.S. Government).
To complicate matters, a strong trend is being seen in all sectors of the economy, for fixed computers to be replaced by mobile devices, for convenience, flexibility, and accessibility. Furthermore, a diverse identity management ecosystem is being developed, where certificate authorities are decoupled from application providers, users are mobile and companies are struggling to understand who is accessing their systems. Mobility—being un-tethered to a physical workplace—brings enormous efficiencies, and, if implemented carefully, benefits employers and employees alike. Mobile computing is introducing newer architectures, breaking down silos, and introducing peer to peer transactions between multiple identities and unrelated parties relying on trust to perform such transactions. Mobile computing is changing the way that people work and do business. For example, in the past, if a person wanted to access highly secure documents they would have to sit at a terminal and log in through a series of operations that confirmed that the individual could have access to that information. However, with the advancement in mobile devices allowing for a much greater amount of work to be performed on them, pressure has mounted to allow individuals to access highly sensitive information with their mobile device.
Mobile devices have brought a rapid convergence of multi-factor authentication, native functionality (i.e. apps), and web browsing. One of the most important recent advances is the phone-as-second-factor. That is, the cell phone is the “something you have”. The overt physical factor is activated by Personal Identification Number (PIN) or password (the something you know), or increasingly, an integrated biometric.
Yet until now, a strong identity proofing solution like, Personal Identity Verification (PIV), has been primarily deployed on smartcards. Classically, PIV credentials are carried on smartcards which contain secure private keys. Likewise, until now, interoperability of PIV credentials required specific PKI integration of client-side software components and the backend CA. The government has struggled to use PIV cards with mobile devices as, among other things, most mobile devices lack traditional smart card readers, and efforts to leverage NFC for mobile authentication have struggled. In part because of these challenges, the U.S. government crafted the Derived PIV Credential (DPC) initiative—focused on extending the security model of PKI to mobile devices. While launched in 2014, DPC is still in early adoption mode and has proven very complex to deploy. In practice, this means that millions of mobile devices across the U.S. government are not protected with strong authentication.
Private sector enterprises face similar demands as the various U.S. government agencies to open access to secure content from users' mobile devices. Consider the aerospace and defense industry as an example. Every company in this industry has made a significant financial investment in SmartCard technologies to provide their users, suppliers, and in some cases even customers with strongly vetted x.509 identity credentials.
X.509 is a standard for a PKI to manage digital certificates and public-key encryption and a key part of the Transport Layer Security protocol used to secure web and email communication. An X.509 certificate is a digital certificate that uses the international X.509 PKI standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.
These private sector enterprises users that access confidential data with mobile devices have become increasingly reliant on smartphones and tablets to get their day-to-day work done. However, data owners in these organizations have been hesitant to provide access to sensitive information from mobile devices, due to security concerns (starting with authentication).
The result of all this mobile device utilization has been the proliferation of non-hierarchical authentication systems. These non-hierarchical authentication systems provide the benefit that they can leverage key functions of mobile devices and new computing technics to deliver a more user friendly and frictionless authentication process between the mobile device and the relying party (or organization providing a service to the individual, device or other).
A potent combination of security factors plus widespread native cryptography has propelled the Fast Identity Online (FIDO) Alliance to transform authentication from essentially any mobile device. FIDO is a consortium of identity management vendors, product companies and service providers working on strong authentication standards using industry standard, tested and vetted cryptographic algorithms. FIDO standards are enabling a new paradigm for multi-factor authentication: once an individual has authenticated to their personal mobile device, they should be able to use that device to then authenticate to other digital services.
The recent publication of NIST SP 800-63-3 DIGITAL IDENTITY GUIDELINES outlined notable changes in the identity proofing and authentication of users, such as employees, contractors, private individuals, and commercial entities, working with government IT systems over open networks. See, https://pages.nist.gov/800-63-3/sp800-63-3.html. Two significant changes outlined in the document are (1) the separation of identity assurance from authenticator assurance, and (2) the recognition of technologies like FIDO U2F and UAF within the highest level—Authenticator Assurance Level 3 (AAL3).
As a result, the FIDO protocol is now considered a viable option, as it meets government guidelines for asymmetric, public-key (PK) cryptography for authentication. This will lead to strong mobile authentication to FIDO enabled legacy and cloud based applications and resources that were previously too difficult and or expensive to PKI enable.
One of the limitations of FIDO is the inability to directly integrate with PKI, the hierarchal system that securely manages PIV credentials and verifies the identity of a user back to a trusted party prior to authentication. This results in the inability to directly use government standard identification credentials with AA3 level authentication provided by FIDO.
For example, the Article entitled “FIDO Alliance White Paper: Leveraging FIDO Standards to Extend the PKI Security Model in United States Government Agencies” published by the FIDO Alliance describes how FIDO can complement PKI in expanding the U.S. Governments authentication ecosystem. https://fidoalliance.org/wp-content/uploads/White-Paper-Leveraging-FIDO-Standards-to-Extend-the-PKI-Security-Model-in-US-Govt-Agencies.pdf. The paper details the challenges and shortcomings with PKI but acknowledges that PIV should continue as the U.S. Governments credential of choice.
Another article is provided by SecureID News dated Mar. 17, 2017 entitled “Merging FIDO and PIV could help feds achieve strong authentication goals”. https://www.secureidnews.com/news-item/merging-fido-and-piv-could-help-feds-achieve-strong-authentication-goals/. This article summarizes the above-referenced white paper. Some key excerpts include: “PKI enabling applications—both legacy and new—is not an easy process” and “If full-blown PIV card presentment were doable, that would be the preferred route. But in cases where this is not possible, PIV derived credentials would be next followed by FIDO derived credentials.” In other words, the hierarchical PKI system cannot currently be fully merged with the non-hierarchical FIDO world.
Accordingly, this is a problem that the industry is currently dealing with, namely, how to utilize the strongly vetted credentials provided by a system, such as, PKI, along with strong authentication standards using industry standard, tested and vetted cryptographic algorithms, such as, FIDO. As noted in the above-referenced articles, there is no effective solution that has yet been achieved.