Zero-trust security architecture is changing the way IT leaders think about access to federal agency networks and resources. That includes how to meet the needs of employees and contractors for whom physical personal identity verification (PIV) credentials and Common Access Cards (CAC) have been the primary method for authenticating access to federal IT systems.
However, as the rapid surge in telework during the current pandemic has made clear, physical authentication controls present a significant obstacle to those who need to access agency resources remotely.
At the same time, the continuing theft of usernames and passwords is forcing IT leaders to look for better ways to authenticate that users are who they say they are, says Yves Massard, product marketing director for IAM solutions for HID Global.
Massard discusses the future of identity authentication for government agencies, and what technologies and standards IT leaders should be looking for on the horizon in a new podcast produced by FedScoop and underwritten by HID Global:
Where PIV and CAC fall short in meeting identity authentication needs
Massard sees three main challenges to the PIV and CAC programs.
First, in order to provide a seamless and secure experience, PIV and CAC “need to be properly plugged into the ecosystem that federal agencies use,” says Massard. But the enterprise ecosystem now contains a growing number of cloud applications and smartphones that don’t support PIV and CAC. And to properly secure agency networks, there is an unmet need to provide stronger identity and access to a diverse user population.
Secondly, “the federal government actually has a large user population that might not be eligible for PIV and CAC — [such as] short-term contractors or partners the government might do business with, whether it’s at the national or international level,” says Massard.
And finally, as seen with the shelter-in-place requirements, there are challenges to providing those credentials to users who now need to access the network from home or other remote locations.
Why should agency CIOs consider identity-as-a-service in their suite of solutions
Massard cites a number of initiatives that policymakers have been working on over the past few years — including standards from the National Institute of Standards and Technology and the White House Office of Management and Budget. These documents will make it easier for executives to look for solutions to manage identity and move towards zero-trust architecture.
The reasons to consider identity-as-a-service are the same as those that pushed CIOs to consider cloud applications and shared services: The technology helps agencies focus on their mission while leveraging the economy of scale that comes from service providers that have a wider view of the threat landscape.
“For example, if you see [threat] activities coming from a set of IP addresses, you might be able to blacklist those across all your customers and immediately share that intelligence with those users,” says Massard.
How identity-as-a-service can expand access to citizen services
When applied to online citizen services, identity-as-a-service provides the ability to let a citizen enroll on the identity service once, and then use that identity to access citizen services for multiple services without having to re-enroll, Massard explains.
“An agency can leverage identity-as-a-service to be able to provide more advanced authentication capabilities,” he says. “And the agency doesn’t need to necessarily to see what’s the latest and the greatest [technology], but rather can leverage their service provider to offer those things.”
Identity and password-less technology developments on the horizon
“There’s been a big development that came to fruition last year, called FIDO2, which is managed by the FIDO Alliance and the WP3, the standards body which standardized HTML,” Massard explains. “And [FIDO2] provides authentication that in some configurations are similar to what you would get with PIV and CAC, but with a much simpler infrastructure, and also much better support for mobile and cloud applications.”
While the standard is still maturing, it is well-positioned to grow as vendors like Microsoft, Apple and Google are moving to support it within their respective operating systems and browsers.
And currently it is technically possible to have both a FIDO2 and PIV application on the same authenticator, so agencies have the option to future-proof their investments for newer solutions, Massard shares.
Staying agile and flexible for changes in identity and access solutions
“If you don’t already have one, invest in an Identity Provider (IDP) that supports multiple authentication platforms and plug your applications into that IDP,” Massard recommends.
“This provides you a way to modernize authentication into the application by plugging into the IDP while still knowing that the application capability itself will continue to evolve as the IDP itself gets updated,” he explains.
Yves Massard heads up product marketing efforts in HID Global’s Identity and Access Management government business. Among other accomplishments at HID Global, he played a key role assisting the Department of Defense’s creation of the US DoD Common Access Card, ActivID CMS – the market-leading PIV credential management system – and ActivClient, marketing-leading middleware.
Listen to the podcast for the full conversation on the future of identity authentication for government agencies. You can hear more coverage of “IT Modernization in Government” on our FedScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by FedScoop and underwritten by HID Global.