28 January, 2013
category:
Using PIV
With multiple forms of authentication, identifying the type of login as well as the identity associated with it becomes important.
Access Launchpad serves a verifier function delineating between authentication technologies used at the time of login. “Whether we’re using a PIV card, PIV-I credential or a credential on a mobile device, we can verify it and make the assertion based on what we’ve verified,” says Baldridge.
The system can tell the difference between PIV-I and PIV, a mobile device or thumb drive/USB based device, says Baldridge. “The idea here is to remain extensible in the architecture where different kinds of form factors can be used according to their levels of assurance.”
The pilot, as expected, is a relatively stripped down version of the proposed final product and is only operating on Level of Assurance Two. For Baldridge, the fact that employees can use a one-time password or a PIV is the takeaway.
Simplicity
Simplicity is a key factor for the NASA initiative. The system enables an organization to sync massive rosters of credentials with Google in a simple and efficient manner, says Baldridge.
“We can take all 96,000 identities at NASA and present them to Google Apps for access if they are authorized,” says Baldridge. “We simply go into Google Apps, provide a spreadsheet of identities for authorization and after literally five minutes of configuration, all these identities are accessible–thru their PIV cards–to Google Apps.”
Speed and efficiency are key to any business model and Baldridge suggests that those interested in the bottom line should not discount the NASA/Google initiative. “Five minutes of configurations to turn your application on to 100,000 accounts, that’s a return on your investment,” says Baldridge. “You’re not redoing what you already did–provisioning and managing passwords.”
Cloud: the final frontier
The value in using PIV cards in NASA’s new system is that creates a secure application for authentication in the cloud. “All we would need to do to lift up the level of assurance is for the application to say ‘I need an authentication context that is level two or level three,’” Baldridge says.
This may seem a simple explanation for a rather complex solution. However, the results, according to NASA and Baldridge, are substantial. “We can say that the cloud is PIV capable, that is the message–the public statement,” says Baldridge.
Using the system is simple as well. NASA has a SAML 2.0 conformant configuration in place for Max.gov, a commonly used government portal. “If you’re logged on to your NASA issued desktop, you can simply click the button without providing password or PIV–it is, in fact, the Windows desktop single sign on of NASA Launchpad.”
Baldridge sees this as a convenient, especially when traveling. “When you travel, you don’t have to remember username and passwords.”
The caveat
For all that NASA’s initiative with Google promises, Baldridge was sure to mention one caveat associated with the project. “The Federal SAML 2.0 single sign-on profile had an overly restrictive statement in it where (NIST Special Publication 800-63) actually says you have a secure channel or an encrypted assertion,” explains Baldridge. “But the profile only said encrypted assertion.”
“Google doesn’t encrypt the assertion, it only encrypts the channel,” explains Baldridge. “We were trying to fix that language but didn’t quite fix it right so we have another iteration to go through to get that right,” says Baldridge.
It’s a fine print issue that does little to take away from the NASA and Google Apps initiative.
Using the cloud to provide secure and streamlined employee verification is a key step to enable access anytime, anywhere. Add the fact that it incorporates PIV credentials that are already in the hands of government employees and the solution’s value rises.
