Previously, Kyle Adams blogged, in a seven part series on authentication attacks, on some of the weaknesses of userid/password based authentication.
The Federal government has been working on eliminating password based authentication in their networks for quite some time. As part of this, the government has mandated the use of Public Key Infrastructure as a way to enhance security through eliminating the need to use passwords as login credentials. Home Land Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors (HSPD-12) mandated the use of smartcard based strong authentication. Perhaps the best known implementations are the Personal Identification Verification (PIV) card used by Civilian Agencies and the Common Access Card (CAC) used by the US Military.
Recently Juniper Networks and Thursby introduced support for PKI smart cards on Apple iOS devices on our Pulse SSL VPN and Network Access Control Solutions. As far as I know, these solutions are the only ones that currently support US Federal smartcards on iOS devices.
The Modern Network has a very interesting two part interview with Thursby CTO, Paul Nelson, titled- The impact of Mobile Devices and BYOD on Federal Networks and Mobile Smartcard Authentication and Federal Networks, that are well worth the read.
NIST SP 800-53, revision 4, Information Assurance control IA-2, Identification and Authentication contains control enhancements which mandate support for smartcards on mobile devices. Enhancement #11- Remote- Access- Separate Device- states, “the information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access” and goes on to say, “the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. Also control enhancement 12- Acceptance of PIV Credentials, states, “The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.”
I have blogged several times about Juniper Networks Pulse solutions in the past, including how they Support Suite B, use FIPS validated cryptography, and are Common Criteria Certified. They have also been tested and certified for use on the Department of Defense Unified Capabilities Approved Product List (UC APL) as an SSL VPN and as a NAC solution and have been tested and certified by the Defense Information Systems Agency (DISA) Joint Interoperability Test Command (JITC) Public Key Infrastructure lab.
The Juniper Networks DC Area Juniper User Group (DCJUG) will demo the Junos Pulse partnership with Thursby’s PKard software and card reader at its November 21st meeting at Seasons 52 in Tyson’s Corner, VA. You can register for the event here.