NIST releases new guidelines for deploying PIV credentials to mobile devices
By
Frank Konkel
The draft special publication is the government’s response to the challenges encountered in authenticating smartphones, tablets and iPads.
The National Institute for Standards and Technology has released new guidelines for public comment regarding Derived Personal Identity Verification credentials.
The draft Special Publication (SP) 800-157, released March 7, defines technical specifications for implementing and deploying Derived PIV credentials to smartphones, tablets, iPads and other mobile devices.
The draft guidelines are essentially the government’s response to the challenges encountered in authenticating mobile devices.
While the Federal Information Processing Standard 201 developed in the mid-2000s created a common set of credentials that is used government-wide, mobile devices don’t have integrated smart card readers to provide the same kind of authentication. Some agencies use a combination of a PIV card and separate card readers for mobile device authentication, and others might use near field communication to read PIV cards from NFC-enabled mobile devices.
SP 800-157 addresses the latter option, in which a derived token is deployed directly on an agency-issued mobile device.
“SP 800-157 does not address use of the PIV Card with mobile devices, but instead provides an alternative to the PIV Card in cases in which it would be impractical to use the PIV Card,” the guidelines state. “Instead of the PIV Card, SP 800-157 provides an alternative token, which can be implemented and deployed directly on mobile devices (such as smart phones and tablets).” This is the “derived PIV credential.” NIST said the “use of a different type of token greatly improves the usability of electronic authentication from mobile devices to remote IT resources.”
The derived credential is viewed by many as an important milestone in government in terms of maximizing the effectiveness of mobile technology, and NIST guidance combined with industry feedback will play a key role in its creation and potentially in shaping future mobile polices.
“Even though we’ve been patiently waiting for the NIST document, that is only one step that needs to occur for derived credential,” said Mark Norton, a senior engineer at the Defense Department. Norton was one of several panelists who spoke at the Federal Mobile Computing Summit on March 7 in Washington.
“There are many things that need to fall into place,” Norton added.
The public comment period runs through April 21.