On Air: Federal Drive with Tom Temin
Trending:
Listen Live
Federal Insights

When it comes to mobile, are passwords too risky but smartcards too cumbersome?

Criminals are getting better at hacking into cellphones or personal computers and getting through password-protected systems. Derived credentials offer safer an...

August 8, 2017 1:48 pm
     

This article is sponsored by VMWare

Today, advances in IT security make it more difficult for criminals to access business or government computer systems.

 Throughout history, people have used methods to limit who could access stores of information — protecting sensitive material and data from criminals — and one of the most popular has been the use of passwords.

The earliest computers — found at MIT in the 1960s — continued in the human tradition of using passwords to limit who could access networks, information or programs, but this method has always been faulty, according to an article in businessinsider.com.

Problems with passwords: Brute force attacks and phishing scams

The hunt to find better methods for securing devices has ramped up in the last five years as attacks have used password cracking to access sensitive information.

In the publicized 2015 case of hackers getting into celebrities’ iOS devices and accounts, most cybersecurity experts think the criminals used “programs that repeatedly guess random passwords for a given username until (they got) a match.”

Phishing scams can also trick even seasoned federal employees into providing a criminal with usernames and passwords.

The IT and security worlds have actually moved away from passwords when it comes to desktops and laptops with smart cards, one time passcodes, or even biometrics.  The Federal Government has standardized on smart cards as part of Homeland Security Presidential Directive 12 (HSPD-12) unfortunately these enhanced authentication options don’t necessarily work when it comes to smartphones and tablets.

“Just because smart card and smartphone both start with the word “smart” doesn’t mean it’s a smart idea to integrate the two,” said Liderman.

Unlike the desktop operating systems such as Windows 10 and MacOS, mobile operating systems are completely sandboxed and as a result smart card middleware can not run in the background a the operating system level.  This means smart card middleware and drivers must be embedded in to indivual applications which makes the end user experience cumbersome, complex, and costly.

“Derived credentials which was introduced as part of NIST Special Publication 800-157… enable more efficient and effective authentication while helping to ensure confidentiality, security and integrity of mobile device information access,” according to Eugene Liderman, Director of EUC Product Management at VMware.

Here are how derived credentials work to solve password and other traditional security flaws.

New security methods: Derived Credentials

When it comes to top-level governmental security, only the best will do government data, information assurance and risk mitigation is key. With the updates to Homeland Security directives and the creation of NIST SP 800-157, derived credentials was introduced as that perfect balance that’s much more secure than using a password but not as cumbersome as using a smart card.

The National Institute of Standards and Technology has coined the term “derived credentials “to refer to cryptographic credentials that are derived from those in a Personal Identity Verification (PIV) card or Common Access Card (CAC). These credentials are then stored on the mobile device.

Derived credentials offer federal agencies and employees with sophisticated and a less vulnerable option that can be utilized across multiple devices securely.

Honing derived credentials for widespread, safe use

Over the past few years, IT security experts have tried to solve issues that have arisen as derived credentials have replaced password security, including compatibility problems with mobile devices.

Companies are creating even better methods to connect these security measures with programs and platforms.

“VMware PIV-D Manager enables the use of derived credentials with native apps and profiles, VMware apps and third-party AirWatch SDK-enabled apps,” according to tech news.

The future of technological security

IT security experts, including VMware, continue to shore up issues with the technology and enable it to work with a digital workspace that can provide access to all applications using any mobile device.

When derived credentials are used, “for users, this type of security platform allows strong authentication to access web sites and exchange secure email from mobile devices. For organizations, it offers cost savings by incorporating the user’s previously established PIV identity into the new derived PIV credential, thereby eliminating the need for further identity proofing,” according to the NCCoE.

With these advances, the days of choosing between stronger security and a better user experience are no longer a choice IT has to make. Learn more about the future of IT security and derived credentials from VMware.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

READ MORE
     
Related Topics
Federal Insights