The U.S. federal government’s Personal Identity Verification (PIV) program, based on FIPS 201-2, requires smart card-based authentication for employees to access government computers and networks. While providing the highest level of security, physical PIV cards present many operational challenges. For example, since they require access to a smart card reader they do not work well with mobile devices, along with many desktops and laptops. Additionally, PIV cards are difficult to issue and manage with today’s remote and distributed workforce.

Further, the recent U.S. national cybersecurity executive order mandates that government agencies deploy multi-factor authentication (MFA) and data encryption within 180 days. So, where does this leave governmental agencies working to ensure PIV compliance, while now having to comply with the new executive order?

Strong purpose-built authentication that’s mobile friendly

Derived PIV credentials, also known as PIV-D credentials, are based on NIST 800-157 and offer smart card security without the limitations of a physical form factor. However, when these digital credentials are provisioned to non-GFE (government furnished equipment) like a personal mobile device, federal agencies still run the risk of security breaches if said device is not being actively managed or patched.

But what if derived PIV credentials could be stored on an external authenticator deeply rooted in encryption and authentication to minimize the attack surface? Entrust has partnered with Yubico to do just that. With YubiKey, the derived PIV credential is stored on a purpose-built external authenticator that is solely focused on encryption and authentication. With Entrust support for YubiKeys, government agencies are now able to issue YubiKey 5 Series and YubiKey 5 FIPS Series with Entrust derived PIV credentials to employees instantly, remotely and at scale.

“Derived PIV credentials stored on a YubiKey, work well with mobile devices as they are easy to issue and use while providing the level of security required on all devices,” said Jeff Frederick, Manager, Solutions Engineering, Yubico. “As such, we are extremely pleased to work with Entrust, the recognized leader in the provision of PIV credentials, to make derived PIV credential issuance available with YubiKeys.”

Specific benefits of YubiKeys with Entrust derived PIV credentials include:

  • A credential can be generated on the external authenticator, keeping the private key secure and simple (versus generating the credential elsewhere and importing onto a mobile device).
  • The external authenticator can be validated at a higher authenticator assurance level than offered by a mobile device. The YubiKey 5 FIPS Series is FIPS 140-2 validated Overall level 2, Physical Security level 3 and the PIV-D Credential on a FIPS validated YubiKey meets Authenticator Assurance Level (AAL) 3 (Certificate #3914).
  • The credential stored on the external authenticator can act as a portable root of trust, enabling remote and teleworking employees, as well as contractors to securely authenticate to government networks and applications via Bring Your Own Approved Device (BYOAD).
  • YubiKey’s latest form factors include USB-C, lightning and NFC, allowing for the ‘tap-and-go’ usability needs of mobile users by enabling authentication seamlessly across multiple devices such as desktop computers, laptops, mobile devices, and tablets.

US government departments and enterprises can take advantage of YubiKeys with derived PIV credentials using Entrust’s Managed PKI service. Additionally, this functionality is included with Entrust Identity Enterprise, which joins Identity as Service and Identity Essentials as part of the Works with YubiKey program.

PIV alternative, PIV derived credentials, and FIDO2

In addition to PIV and derived PIV support in Identity Enterprise, Entrust also supports FIDO2 credentials with Identity as a Service. FIDO2 credentials, similar to PIV, leverage asymmetric cryptography providing strong hardware backed authentication. Entrust’s Identity as a Service offering allows users to register a FIDO2 credential that is securely stored in a YubiKey. Leveraging the same YubiKey for PIV and FIDO2 credentials, integrated into the Entrust Identity platform, provides for a wider range of strong authentication across a user’s access landscape reducing the reliance on weaker forms of authentication.

Using the Entrust-YubiKey solution, US government departments are able to ensure PIV compliance today, future proof for the use of FIDO2 credentials, and comply with the Executive Order’s MFA mandate.

Learn more about Entrust derived PIV credential issuance with YubiKeys by attending our upcoming webinar.