The Advanced Technology Academic Research Center announced two public-private laboratories around identity management Tuesday to hasten government adoption of more easily distributable, modern credentials.
ATARC’s Digital Mobile Credentials Lab will showcase six use cases where devices serve as identifiers to access buildings and workstations, while an Identity Management Working Group lab will have vendors demonstrate the feasibility of a Derived Fast Identity Online 2 (FIDO2) Credential (DFC).
Personal Identity Verification (PIV) cards and Common Access Cards (CACs) became the standard at agencies around the turn of the millennium, but such physical credentials proved hard to disburse with the onset of the pandemic and remote work.
“Identity management is one of the five main pillars of zero trust,” Tom Suder, ATARC president, told FedScoop. “But we’ve seen during the pandemic that it’s really a challenge.”
Like its Zero Trust Lab launched in September, ATARC’s new labs are focused on generating more government-specific use cases.
The onboarding of enumerators for the decennial census creates tremendous demand for credentials, as does the Federal Emergency Management Agency scaling its workforce during disasters. Mobile phones the government typically issues to employees present an opportunity for a post-PIV and CAC environment, Suder said.
ATARC established a memorandum of understanding with General Services Administration for the Digital Mobile Credentials Lab, after the agency brought the use case of its USAccess shared service, which provides PIV cards across more than 110 agencies.
Among the technologies the lab will showcase are Public Key Infrastructure (PKI) and FIDO2 credentials; physical access control and logical access control system (PACS/LACS) technical architectures; and identity, credential and access management (ICAM) solutions.
The six use cases are:
- mobile phone-PKI authentication to PACS providing access to a building,
- mobile phone authentication to workstations or web applications using a x509 authentication certificate,
- mobile phone authentication to workstations or web applications using FIDO2 credentials,
- mobile phone or tablet authentication for temporary personnel using a x509 authentication certificate,
- mobile phone or tablet authentication to PACS with x509 authentications, and
- credentials provisioned to a wallet or container on a mobile phone or tablet.
Likely a partly physical, partly virtual lab, it will feature some of the same companies as the Zero Trust Lab, and a “fairly immediate” launch is expected, Suder said.
Meanwhile the DFC Lab came out of a recently published Identity Management Working Group white paper, which requested demos proving the feasibility of agencies issuing and managing FIDO2 hardware tokens tied to existing physical credentials.
FIDO2 lets users authenticate using mobile devices, so they no longer need their PIV cards or CACs on them at all times. What’s more, the DFC would be transferable if an employee switched agencies.
“These controls are established practices that minimize the risk of impersonation and allow for managing which resources an end user can interact with while leveraging a DFC,” the white paper reads. “Currently, no such guidance exists for the issuance and management of FIDO2 credentials, and enterprise use of these credentials has been limited for this reason.”