FIDO 201: Moving beyond PKI and PIV Card Authentication with PKI2FIDO

If you're new to the world of the FIDO Alliance, we recommend reading our FIDO 101 article, and our in-depth guide to FIDO Protocols.

In the last week of March 2020, the White House Office of Management and Budget (OMB) issued a new policy focused on giving government agencies new flexibilities as agencies move to telework due to the COVID-19 pandemic. This includes letting agencies use other types of authentication outside of the smart card/Public Key Infrastructure (PKI) combination, which is the government’s standard.

If you don’t work for the government, you might wonder “Why should I care about this?” Although the memo is specific to government agencies, companies across industries that use smart cards and/or PKI for authentication are going through the same struggle: how to keep their data systems secure while working with remote teams.

Key Takeaways from the Memo

Organizations face three problems as they move to telework:

1. While many employees have employer-provided laptops that can tie into organizations’ systems via a VPN, not all of those VPNs support smart card login.
2. Many employees only have desktops in their workplace and working from home means they are likely using personal devices that may not support a smart card.
3. For employers who use Personal Identity and Verification (PIV) smart cards, issuance of these cards requires an in-person proofing and issuance process. While that has set a high bar for security, it's not practical in a crisis where it's not safe to bring people into a face-to-face setting.

This memo gives government agencies some much-needed flexibility to go beyond PIV/PKI combinations for authentication purposes. While most organizations don’t need to comply with government policies, the following sections of the memo provide solid guidelines that should be followed by any organization wanting to maintain a high level of security:

• Per Section 7, “Agencies are able to make a risk determination and issue an alternate credential/authenticator for PIV-eligible personnel due to the inability to collect biometrics (e.g., fingerprints), until biometric processing is feasible” when it’s not possible to enroll someone for a PIV or issue them one.
• Per Section 8, “If agencies are unable to issue a PIV credential, they should be prepared to issue an alternate credential authenticator for physical and logical access.”
• Section 9 discusses steps agencies should take when a PIV credential is not in use.

Transitioning to PKI2FIDO

Among the silver linings of this worldwide pandemic is that it has brought the opportunity to introduce significant operational changes in your organization without major resistance from employees; after all, we’re all having to adapt to new ways of working.

We recognize organizations and government agencies are unlikely to duplicate their previous efforts to deploy alternative authentication and data security approaches after having invested hundreds of millions of dollars in vetting humans in the process of issuing PIV/CAC/National ID and similar credentials.

Therefore, StrongKey has created PKI2FIDO, a free and open-source web application to help organizations deploy Fast Identity Online, version 2 (FIDO2)-based authentication. Among the benefits of moving beyond PKI or using FIDO based strong authentication where PIV authentication is infeasible, are the shorter implementation time and lower price. PKI2FIDO enables this seamlessly today without licensing costs per user.

Based on the free and open-source standards of the FIDO Alliance, PKI2FIDO is a single-page application that enables holders of X.509 digital certificates (implemented in the PIV cards and the CACs) to strongly authenticate with their digital certificate to the PKI2FIDO web application and register a FIDO2 Authenticator with a FIDO server in their enterprise.

How PKI2FIDO Works in Practice

Going through the implementation process of PKI2FIDO as a new authentication solution may sound daunting at first, but it doesn’t have to be. Here’s a step-by-step view of a deployment:

1. Deploy a FIDO2 Certified^TM server in your data center.
2. Leverage existing platforms - such as Windows 10 computers with TPMs or MacBooks with TouchID - to support the use of FIDO. Where such devices do not exist, choose a set of approved FIDO Authenticators for use by employees - they are available for as little as $15 in the retail market.
3. Enable PKI2FIDO for employees that use digital certificates for authentication. PKI2FIDO can be tied to internal Directory Servers for additional authorization if digital certificate based authentication is insufficient authorization (we are happy to help with the integration work).
4. Enable the registration of the FIDO Authenticator with the FIDO server deployed in conjunction with PKI2FIDO. The registration processes may need to flexible to accommodate unique registration procedures. (As always, StrongKey is available to help with these discussions).
5. User registers the FIDO Authenticator with the FIDO Certified server.
6. User can now go home and use their personal device to securely authenticate using the FIDO protocol to your organization’s website.

PKI2FIDO allows an organization to enable its users to strongly authenticate to the web application with their smart card/digital certificates, and to register one or more FIDO security keys on their enterprise FIDO server using one or more FIDO U2F Authenticators. Once Authenticators are registered, they can be used to strongly authenticate to FIDO-enabled web applications supported within their enterprise/agency.

If you would like to discuss using the PKI2FIDO web application, please contact us at getsecure@strongkey.com or request a free security assessment.