Page 44 - Cyber Warnings
P. 44
Implementing such a system will provide significantly improved security versus the traditional
username-password construct.
Several basic multifactor authentication frameworks exist that will satisfy the multifactor
authentication mandate. Examples are soft tokens and hard tokens (e.g., smart cards, key fobs,
or dongles) designed to store user credentials, and one-time passwords (OTP) sent to a mobile
device.
Nevertheless, these solutions do not provide both the high-assurance identity proofing and
robust physical-logical access—all within one single smart credential—as the personal identity
verification (PIV) used by federal agencies and the similar credential for non-federal entities:
personal identity verification-interoperable (PIV-I).
The PIV-I framework leverages a photo, fingerprints (biometrics), cryptography and a PIN and
provides a powerful and cost-effective way to deliver strong protection against security breaches
from nefarious actors. It heightens the defenses against cyberattacks, in contrast to username
and password combinations, which are particularly susceptible and can easily be compromised.
Exploring the Value of PIV-I
What makes the PIV-I security framework so effective? Here are six reasons to implement PIV-I
to support a multifactor authentication strategy to satisfy NIST SP 800-171.
1) Door to Desktop. Typically in an enterprise environment a proximity badge is used for
identification and physical access. In addition, for logical access, a username and password
combination often represents the security token. In contrast, PIV-I provides for a single high-
assurance identity credential that can be used to access everything from doors to desktops in a
secure manner. The benefit of this is simpler access management that includes full lifecycle
identity management and ongoing screening of existing credentials.
2) Platform Agnostic. PIV-I is readily adaptable across a diverse employee base to achieve
the highest level of security. For example, the PIV-I credential can be trusted by any entity,
either government or business, that accesses the Federal Bridge. By contrast, a construct like
one-time passwords (OTPs) is often tied to a specific device. Although OTPs can be agnostic,
the same level of assurance does not exist with this option.
3) Cryptographic Data Protection. The PIV-I framework facilitates a variety of important
security features within each individual credential, providing increased confidence that sensitive
data won’t be intercepted, including the ability to:
• Digitally sign documents (non-repudiation)
• Authenticate to network resources
• Encrypt messages for communication
44 Cyber Warnings E-Magazine November 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
