Today marks an important day for expanding Yubico’s reach to support the growing requirement for Government agencies to issue government credentials beyond Personal Identity Verification (PIV) cards. We are celebrating that our partner Entrust will soon launch support for derived PIV credentials for YubiKeys. Customers will be able to take advantage of YubiKeys with derived PIV credentials using either Entrust’s Managed PKI service or Identity platform.
Entrust Identity is an integrated IAM (Identity Access Management) platform that supports a full suite of workforce, consumer, and citizen use cases. YubiKey support is included with Entrust Identity Enterprise. As well, Identity Enterprise joins Identity as a Service and Identity Essentials as part of the Works with YubiKey program.
With Entrust support for YubiKeys, government agencies will be able to issue YubiKey 5 Series and YubiKey 5 FIPS Series with derived PIV credentials to employees instantly, remotely, and at scale.
“Extending support of Personal Identity Verification (PIV) for Yubico is a critical requirement for our mutual customers’ success,” stated James LaPalme, VP and General Manager, Identity Business Unit, Entrust. “We are pleased to work with Yubico to help government agencies realize strong purpose-built authentication that is also mobile friendly.”
The United States Federal Government has been issuing strong cryptographic hardware authentication devices to its civilian employees and contractors for more than 15 years. These devices, called PIV cards, combine a strong Public Key Infrastructure (PKI) credential with a robust identity proofing and background check process on a physical smart card. Issuance and use of the PIV card is mandated by a number of laws, regulations, and mandates for all Federal employees and contractors who need to access Federal Government IT systems, applications, and data. As a result of the intensive identity proofing process, the PIV card issuance process provides a strong anchor that can be used to assert an identity.
Unfortunately, while providing a high level of security, the smart card form factor presents a number of barriers for today’s mobile and desktop environments. Smart cards must be used with a smart card reader during the authentication process, creating challenges while using PIV cards to authenticate to portable devices and tablets. Furthermore, external smart card readers can introduce additional complexity to use and are expensive to deploy and maintain at scale.
Adoption of smart card form factors has also been limited for teleworkers as highlighted by COVID-19, where usage of employee’s personal devices to access government networks and applications remotely has increased, thus requiring the need for yet another external smart card reader for users personal laptops and desktops.
To address the above issues, NIST developed guidance around the issuance of Derived PIV credentials in Special Publication 800-157. A derived credential is an alternate credential that is “derived” from the eligibility for a PIV card. To date, these derived credentials are normally PKI certificates stored on mobile devices, but this can present security concerns when stored on non-GFE (government furnished equipment) that are not actively managed or patched.
Why should derived PIV credentials be on YubiKeys and how can this fit into the recent Biden Executive Order?
Storing a Derived PIV credential on a hardware security key, such as the YubiKey 5 FIPS Series, provides the following important benefits.
- The private key resides on the YubiKey, purpose-built external authenticator that is solely focused on authentication and encryption that minimizes the attack surface.
- The credential can be generated on the YubiKey, keeping the private key secure, versus generating the credential elsewhere and importing it onto a mobile device.
- The external authenticator can be validated at a higher authenticator assurance level than offered by a mobile device. The YubiKey 5 FIPS Series is FIPS 140-2 validated Overall level 2, Physical Security Level 3 (Certificate #3914).
- The YubiKey with the loaded credential can act as a portable root of trust, enabling remote and teleworking employees and contractors to securely authenticate to government networks and applications via Bring Your Own Approved Device (BYOAD).
- YubiKey’s latest form factors with USB-C, lightning, and NFC allow for the ‘tap-and-go’ usability needs of mobile users by easily and seamlessly enabling authentication across multiple devices such as desktop computers, laptops, mobile devices, and tablets.
- YubiKeys don’t require batteries or a network connection, are crush resistant, waterproof, and dustproof, making them ideal for front-line and off-site focused work scenarios.
We are also extremely excited that this integration with Entrust comes at the heels of our YubiKey 5 FIPS Series launch that enables our customers to meet the requirements for Authenticator Assurance Level 3 (AAL3) as defined in NIST SP800-63B. Being able to be secure and compliant with this partnership has never been easier, we are confident this will bring a whole new scale adoption to help secure Federal infrastructure and data.
PIV alternative, PIV derived credentials, and FIDO2
In addition to PIV and derived PIV support in Identity Enterprise, Entrust also supports FIDO2 credentials with Identity as a Service. FIDO2 credentials, similar to PIV, leverage asymmetric cryptography providing strong hardware-backed authentication. Entrust’s Identity as a Service offering allows users to register a FIDO2 credential that is securely stored in a YubiKey. Leveraging the same YubiKey for PIV and FIDO2 credentials, integrated into the Entrust Identity platform, provides for a wider range of strong authentication across a user’s access landscape reducing the reliance on weaker forms of authentication.
To learn more about Entrust-derived PIV credential issuance with YubiKeys, please contact us and attend our joint webinar “Strong Authentication for U.S. Government Employees” on July 28, 2021, at 11:00 a.m. EST (8:00 a.m. PST).
