Entrust Datacard and MobileIron Partner on Derived Credentials

Enterprise mobility management (EMM) vendor MobileIron and trusted identity provider Entrust Datacard announced a partnership in April 2017 to offer derived credentials for next-generation multi-factor authentication. The new solution will combine technology from MobileIron’s Derived Credentials with Entrust’s IdentityGuard Mobile Smart Credentials, and will be included in an upcoming project by the National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence on Derived Personal Identity Verification (PIV) Credentials. The combined solution aims to extend smart card authentication to mobile devices, and notably common access cards (CAC) technology as used by the U.S. government, eliminating the need for hardware tokens and passwords.

Derived credentials will fit into the Department of Defense’s (DoD) Defense Information Systems Agency’s (DISA) current program to integrate credentials from CAC into mobile devices. Dubbed the Purebred program, it is essentially a key management server that enables the installation of an application on a mobile device, deriving a user’s credentials based on CAC certificates. Purebred was originally launched in 2015, and initially targeted iOS devices. Currently, it is also available for Android and BlackBerry operating systems for both smartphones and tablets. The initial aim of the program was to provide a more automated approach for enrolling DoD credentials on mobile devices.

DISA has been facing particular difficulty in deploying CAC with the mobile form factor due to the complex nature of the technology and the physical requirements of the CAC. DISA published an RFI in 2015 and later an RFP in 2016 for an enterprise mobility management contract, which would include BYOD support, an all-inclusive app store, and the ability to integrate new mobile technologies. In January 2017, DISA further announced its intention to digitize CAC credentials and reduce the time taken to input them into a device (which took approximately 22 minutes).

A derived credential solution eliminates the physical difficulty, as it is proposed as a software version of the PKI credential, and reduces the time for sideloading it into a mobile device (estimated to be three minutes). Furthermore, it can incorporate BYOD management as well by simplifying the use of credentials for native applications (browser, email, VPN, SSO) on various commercial off-the-shelf devices. The remaining issue is for such a solution to comply with a Level of Assurance (LOA) 3 at a minimum (based on NIST 800-157). CAC itself is at LOA 4, which is a hardware cryptographic module validated to FIPS 140-2 Level 2.

MobileIron and Entrust Datacard’s combined solution will be leveraged as part of the Purebred program. The technology will be able to meet the requirements of U.S. government standards in the space, notably Homeland Security Presidential Directive-12 (HSPD-12), FIPS 201, NIST SP800-157, and Federal ICAM initiatives. 

Derived credentials have been on the market spectrum for just over a year now, with other firms competing alongside Entrust Datacard and MobileIron, including Centrify and VMware AirWatch. Getting smart card authentication on a mobile device is the primary barrier to overcome. MFA and PKI usage can be simplified and retain smart card security level by using the increasingly powerful mobile platform. Credentials can be stored on secure elements and trusted execution environments. Such technologies are already being used within the context of market-matured EMM and MDM technologies. Derived credentials push further the MFA boundaries by providing top-level security and simplifying usage. This is ideal for sectors demanding the highest level of security (such as government and military), but will also interest other sectors with similar demands, notably in the financial industry for mobile payments and banking, as well as in the corporate space to protect confidential business data, IPRs, and other sensitive information on both personally and corporate liable devices.