We first wrote about derived credentials in December (“Derived Credentials: What You Need to Know”), including background on National Institute of Standards and Technology (NIST) Special Publication 800-157. We also explained how VMware AirWatch supports derived credentials in compliance with NIST SP 800-157 using what we referred to as “Derived Credentials Lite.”
Our newly released derived credentials app, VMware PIV-D Manager, enables the use of derived credentials with native apps and profiles, VMware apps and third-party AirWatch SDK-enabled apps. This is the most complete enterprise-mobility-management-based solution to support multiple derived credential vendors using the same framework and flow on both iOS and Android.
VMware PIV-D Manager integrates with some popular derived credentials solution providers in the market today, which includes Purebred, XTec, Entrust Datacard and Intercede. The application also has the ability to leverage the AirWatch backend infrastructure in conjunction with any existing Certificate Authority to derive and use a derived credential in a manner that complies with NIST SP 800-157. These partnerships allow AirWatch to simplify the experience for users by providing one app with access to all vendors—with a consistent experience regardless of vendor, as seen in the screenshots below.
VMware PIV-D Manager: Getting Started
Enrollment and usage of derived credentials through VMware PIV-D Manager is as easy as 1-2-3:
1. The user enrolls for a derived credential through a self-service portal hosted by the derived credentials provider using their existing smart card (i.e. CAC or PIV) and either generate a QR code or a one-time password (OTP).
2. The user launches the VMware PIV-D Manager application, enters the information from step one and hits “Next.”
3. VMware PIV-D Manager successfully generates/retrieves the end user’s derived credentials, and they are good to go!
How Do Derived Credentials Work?
Here is a quick recap on what derived credentials are and, more importantly, what problem they solve:
Historically, directives like HSPD-12 and FIPS 201 mandated that smart cards [i.e. Common Access Cards (CAC) and Personal Identity Verification (PIV) cards] be used for all physical, logical and network access on all devices, including smartphones and tablets. While this was great for desktops and laptops, the experience on mobile devices was cumbersome and costly.
To help solve this problem, the National Institute of Standards and Technology (NIST) updated FIPS 201 to include additional form factors, and in 2014, NIST released a special publication (800-157) titled “Guidelines for Derived Personal Identification Verification (PIV) Credentials.” Instead of utilizing the CAC or PIV card, this special publication provides guidelines for how to generate and utilize an alternative token, which can be implemented and deployed directly with mobile devices. This newly derived PIV credential is also commonly referred to as a derived credential or PIV-D.
How Do Businesses Use Derived Credentials?
I want to take a moment to explain how we actually got here. While the term “derived credentials” has been around for a few years now, the actual deployments of derived credentials are still in the very early stages. Here are some of my observations after speaking with dozens of customers:
- There is no single derived credentials solution provider that everyone will use. There are multiple government off-the-shelf (GOTS) as well as commercially off-the-shelf (COTS) providers in the market today.
- While derived credentials is a U.S. government-centric term, the problem it solves actually applies much more broadly. Derived credentials is a great alternative for any organization who uses smart cards today but does not want to use them with their mobile devices. This use case applies to any of the following verticals:
- International government agencies
- State and local agencies
- Federally funded research and development centers
- Federal system integrators
- Other regulated verticals, such as finance and energy
- Every customer has their own set of use cases for how they want to use derived credentials. We have customers who want to use a derived credential to authenticate to email, websites, Wi-Fi and VPN. We also have customers that want to build their own apps that also consume and use derived credentials. These customers are also looking to deploy derived credentials on various operating systems.
- Derived credentials is an important part of a broader identity and access management strategy. Customers don’t just want to use derived credentials to access internal systems; they want to use them for federated systems in the cloud that are powered by commercial apps. They also want to use additional factors depending on the context and the type of data users are accessing.
These are just a few of the examples that validated our approach, which was to architect a framework for abstraction that allows every customer to have a very similar experience, regardless of what derived credential vendor they use in conjunction with AirWatch and Workspace ONE. This not only promotes consistency and better product quality but also allows all of our customers to enjoy all of the new enhancements and innovations we will continue adding in future releases.
Derived Credentials Solution Demo
VMware will demo our derived credentials solution this week at both the Gartner Security & Risk Management Summit (Booth 603), as well as the 2017 AFCEA Defensive Cyber Operations Symposium (Booth 557). Bring your questions!