The redundancy of carrying a personal identity verification card when most everyone has a smartphone could push identity management toward the cloud and PIVs toward obsolescence. But not all of government is so ready to rely on the cloud.
Jeremy Grant, senior executive adviser for identity management at the National Institute for Standards and Technology, told an audience Tuesday at Intel Security’s Security Through Innovation Summit that usability and the development of mobile and cloud technologies is pushing the identity management model away from physical cards to software.
“The most secure solution that nobody wants to use doesn’t really improve security at all,” said Grant, who currently leads the National Strategy for Trusted Identities in Cyberspace. “So we’re focusing on usability as a key guiding principle alongside security and privacy and convenience.”
Grant, who admittedly loves his PIV card, acknowledged that it’s superfluous to carry them when not only can a mobile device achieve the same two-factor authentication, but it also isn’t compatible with new devices.
“I have this card, and I don’t have an easy way to use it,” he said. “I have three devices — one’s a laptop and the other two are mobile devices, and it only works in one of them. How can we take advantage of the form factor’s new capabilities in the platforms that we’re using, like mobile devices, to actually come up with, frankly, better ways to do something than having to carry something with you in addition to the stuff you leave your house with every day?”
NSTIC is looking to pilot innovations that could ultimately do away with the PIV card. Grant mentioned an application produced by Michigan-based Duo Security that is making its way to university campuses around the country as an example. Students simply download an app, “and it reduces the whole authentication ceremony,” he said. “I get a push notification on my smartphone, then I swipe it and push the green button to log in for a second factor,” Grant said, noting its spread to more than 140 campuses.
Using the cloud, that model actually splits the encryption key — half on the device and half in the cloud, he said. “When you push the green button, it marries them up and you have a nice cryptographic login.”
“We’re seeing a lot of innovators and entrepreneurs look at the fact that we’re carrying these [devices] in our pockets…and you can figure out the right way with an app, you can use that as a token instead of something else that you’re carrying with you,” Grant said.
Col. Bobby Saxon, division chief and program director of the Army G-3/5/7, said he doesn’t see the same for the military.
“To us, in many ways, cloud is just a four-letter word — we don’t have a lot of trust and faith in it,” Saxon said, despite noting that the Army is using cloud for its flexibility and cost savings. However, most of the branch’s operations are not running on the cloud, he said. “We call it a cloud, a pseudo-cloud, it’s more of a private cloud.”
And when it comes to identity management and many of the Army’s war zone operations, verifying a token in the cloud doesn’t make sense. “That’s very helpful when you’re putting your wallet in your back pocket or your purse or you’re going to sit down at a desk every day,” Saxon said. “It’s not as helpful when you’re in an environment such as Iraq or Afghanistan, where those kinds of things are usually not available to you.”
In many cases, he said, the Army has fallen back on the traditional username and password. “Because at the end of the day, we still have to have access for our users.”
But as far as the civilian government is concerned, it’s hard to avoid the inevitability of a cloud-based identity management model, or something like it, purely because of the pace of innovation, Grant said. “The amount of innovation we’ve seen in the last three or four years far surpasses everything we’ve seen in the previous 15, in part because there are these new things out there today that people are looking at and saying, ‘I think I can build it different and cheaper and better.'”