MyID transfers derived credentials to mobile devices
Connecting state and local government leaders
MyID Trusted Authenticator gives Good Technology customers access to a wide range of secure credentials for signing, authentication and encryption.
For the government, securing mobile devices is an ongoing struggle – one that some private companies are trying to alleviate. Among them is Intercede, which recently teamed with Good Technology to let customers beef up mobile security by replacing passwords with two-factor authentication.
Intercede's MyID is an identity and credential management system that acts as a central hub, connecting all of the required system components together to build a FIPS 201-compliant solution.
The MyID Authenticator works as a plug-in to Good's Digital Authentication Framework, which is designed to allow third parties to develop plug-ins, or Trusted Authenticators, for the Good Dynamics Secure Mobility Platform.
The plug-in lets workers access secure applications on mobile devices using credentials derived from their existing smart cards -- including personal identity verification cards, Transportation Worker Identification Credential cards and Common Access Cards. Agencies using the Good Dynamics platform can use strong credentials without having to develop secure apps themselves, with the MyID Trusted Authenticator taking care of secure communications between the app and the appropriate credential.
The connector would typically be installed as part of Good’s mobile application management solution, although it can be downloaded directly from an app store, said Chris Edwards, chief technical officer at Intercede.
The critical part of credentials-based mobile authentication is getting the credentials or certificate onto the phone itself, Edwards said, and that’s where Intercede’s cloud-based MyID kiosk comes in.
“It’s like using an ATM basically,” he said. Users insert their cards and read a QR code from the mobile device. Once the system authenticates the user, it puts a derived credential on the device.
Agencies can choose whether to apply the credential through an attended station in human resources or IT, or through a self-service model in which users can collect the credential from their desktop machines, Edwards said.
Exactly where to put the credentials proved a challenge. The Intercede team considered secure elements such as SIM cards, embedded secure elements and external ones. “On Windows phones, we were able to put [credentials] into the [Trusted Platform Module], which gave a good level of protection, and on Android phones, we’ve got a Trusted Execution Environment,” Edwards said.
It’s a one-off credentialing process for a mobile device, but updates are required when certificates expire, usually in two to three years, or if policies change and require renewal. When employees change devices, they will need to cancel the phone’s credentials and get new ones.
Most federal agencies already have the technology in place to make the solution work because they have card-issuing systems. Additionally, because the MyID-derived credentials solution can sit alongside an existing content management system, agencies are not required to have an Intercede system managing cards, Edwards said. They can have an on-premise solution sitting alongside that issues a separate derived credential, or use a cloud-hosted solution.
A fully compliant managed solution needs a way to send notifications from the card-issuing system back through to the derived credential system. So when a person leaves the agency and is no longer entitled to have a PIV card, “then the card issuing system...has to just send a message saying, ‘Can you cancel the credentials for this person?’ and then we’ll react to that and revoke the certificates that are on the phone,” Edwards said.
Benefits of the MyID Authenticator for Good include cost savings for agencies and more convenience for workers – both of which result ultimately in better security, he added.
The MyID solution “allows the agency to recognize that this is actually how people need to work these days, but at the moment they can’t because they’re constrained by the security demands for remote access,” Edwards said. “This enables them to break out of that constraint so that they can get to all those services and data and so on, using credentials that are on the phone without having to have extra card readers and plug-ins to try to work around the problem.”
NEXT STORY: Google: Let the machines remember the password