Federal agencies may be one step closer to ditching bulky card readers for securing their smartphones and tablet computers, thanks to the National Institute of Standards and Technology.
NIST has released two draft documents aimed at enabling federal employees and contractors to verify their identities on mobile devices through alternative means. One way is through so-called derived credentials.
NIST’s special publication 800-157, “Guidelines for Derived Personal Identity Verification Credentials,” provides technical standards for adding digital credentials from PIV and CAC cards to a smartphone or tablet. This allows “the mobile device to take the place of the smart card for remote authentication to federal systems,” according to NIST.
The guidelines specify ways to insert credentials into a mobile devices, using microSD tokens, USB tokens, SIM cards, or embed them in the mobile device. The draft document focuses on managing the issuance, maintenance and termination of digital credentials.
Comments on the draft documents are due April 21.
The Defense and Homeland Security departments are among the agencies exploring the benefits and feasibility of derived credentials. Not only do agencies view this as a way to save the costs of buying card readers for the device, but the other concern is making the devices user friendly, said Mark Norton, a senior engineer at DoD.
The move to derived credentials, however, does not mean DoD will do away with CAC cards, said Norton, who spoke Friday at the Federal Mobile Computing Summit.
In a separate draft document, NIST provides alternatives to derived credentials, such as near field wireless links (NFC), similar to those used by contactless payment systems. NFC-enabled devices could interact with a PIV card in very close range via a contactless atenna. The drawback, however, is that many mobile devices today do not include NFC capabilities.