DoD tackles mobile device authentication through several pilots

Monday - 11/25/2013, 4:04am EST

Jared Serbu reports.

Download mp3

The Defense Department says it's committed to a future in which service members and civilians can use the latest and greatest mobile technology to get their work done, regardless of the device manufacturer. But it's still struggling mightily with one of the biggest challenges for mobility in the government: identity management.

While the Pentagon thinks it's gone a long way toward making sure its security approval processes for mobile devices, apps and infrastructure can keep up with the pace of commercial technology, there's one enormous nut the department still hasn't cracked — how to make sure DoD users can securely authenticate themselves on the network via mobile devices, the same way they do today from desktop and laptop computers. On those computers, users slide their common access cards (CaCs) into a smart card reader in order to do multi-factor authentication.

Using that same method on a mobile device defeats the purpose of having a mobile device.

"To date, the solutions have been Bluetooth or corded card readers that are very difficult to use, they have separate power sources, they're not really in favor with generals and senior executives," said Devon O'Brien, the lead mobile engineer for public key infrastructure (PKI) at the Defense Information Systems Agency. "The user experience is awful and because we're such a niche market, the cost per device is awful. That's sort of what prompted the look for alternate credentials."

Those alternate credentials would be just as trusted by DoD networks as the PKI certificates that are currently stored on common access cards. But they would have to be different credentials, since the card isn't actually attached to the device. The National Institute of Standards and Technology is finalizing a new special publication (SP 800-157) that describes what are called "derived credentials" and how they can be used securely.

Waiting on OMB

Greg Youst, the chief mobility engineer at DISA, said DoD is waiting for that special publication from NIST, but also for some final decisions from the Office of Management and Budget about how derived credentials can be used.

"Because the issue is, we need to define separation," he told a small audience at a mobile technology symposium hosted by AFCEA DC in Vienna, Va., on Friday. "One of the requirements from OMB says that the certificate has to be separate from the device it's authenticating in."

And OMB's decisions could make or break some of the potential solutions DoD is exploring for mobile two-factor authentication. For instance, one idea might be to place those derived credentials on a microSD card that's inserted into the phone. Another might be to put the certificates onto the same SIM card that a commercial smartphone uses to identify itself to the commercial cellular network it runs on.

"Here's the debate. Is a microSD separate? I can take it out and put it back in. What about a SIM chip? I can take it out, but now the phone doesn't work," he said. "There's still policy stuff that's being worked out at the federal level on how we're going to approach mobility and PKI, and this is a very complicated field."

But DoD says it does have some specific requirements that are going to govern how it handles ID management in the mobile realm: whatever solutions it settles on are going to have to integrate seamlessly with the Defense Enrollment Eligibility Reporting System (DEERS), the massive and expensive centralized infrastructure the Defense Manpower Data Center already operates to manage the identities of 42 million service members, civilians, contractors, retirees and dependents.

Beyond the derived credential options that use technologies such as microSD and SIM cards, the department is also exploring technologies that would let users hold their actual CaC cards up to their phones and authenticate via near-field communication, a technology already built into many smartphones.

"The challenge there is because of the policies around federal PIV cards, which have a whole lot of esoteric nonsense that we have to plow through," said Michael Butler, DMDC's deputy director for identity services. "But we've made it work. My guys actually built an email client, you can sign, you can encrypt and it's certainly a better user experience than the [external card reader]. We've worked with Google, Samsung, a number of different folks, and we're working on an NSA assessment. It's really pretty simple technically, it's really making all the standards work and getting all the standards folks to agree with it that's the hard part."