In the second installment of FedScoop’s Public Sector Innovation Priorities series, VMware’s Eugene Liderman explores how government agencies could reduce IT friction and boost workforce productivity by adopting derived credentials for secure login to the mobile devices government workers use every day.
Liderman, who focuses on security and privacy as director of product management at VMware, clarifies what derived credentials are and are not, and common misconceptions about derived credentials, especially within federal agencies.
In a recent FedScoop study, government IT users reported 25 to 33 percent more friction than their industry counterparts using smartphones and tablets for work, stemming primarily from difficulties logging on and getting access to the apps they need for work. This leads to the use of access credentialing – and the debate over derived credentials or the more prevalent use of government-issued, common access cards (CAC), or smart cards, to access government IT networks.
“When security becomes really high, the user experience ends up being really low,” said Liderman.
“Derived credentials is a really interesting paradigm shift for the federal government because it’s a balancing act between security and usability. It’s meant to alleviate the use of carrying a physical smart card, which doesn’t really work too well with mobile devices, but still provide a high level of security and multi-factor authentication using that derived credential,” said Liderman.
Derived credentials replace smart cards on mobile devices and provide multi-factor authentication in compliance with National Institute of Standards and Technology (NIST) guidelines. Liderman explains often people assume derived credentials are derived from the security certificates on a smart card. In fact, a new certificate is issued when an individual provides their identity with their existing smart card, then validates that identity by marrying something they know (like a PIN) to go along with something they have (the smart card). The derived credential is then issued to the mobile device.
Because the government is still early on in the adoption of derived credentials, agencies are still forming use cases and NIST is still refining guidelines. However, it is already clear that agencies can reduce cost and IT friction by eliminating expensive and cumbersome equipment that is impractical to use and carry around with mobile devices.
Derived credentials also offer scalable multi-factor security. Beyond validation of an individual’s identity, derived credentials allow for additional levels of secure authentication based on location, operating system, the security of the Wi-Fi being used and a user’s role.
In the podcast, Liderman also outlines considerations when moving to derived credentials and away from smart cards, and recommends approaches to manage the scope of initial setup and expansion.
For more on derived credentials for federal agencies, download the FedScoop Tech Brief, “Understanding derived credentials for the federal government.”
This article was produced by FedScoop for, and sponsored by, VMware.