The Department of Defense has explored alternatives for authenticating and verifying user access to its information systems for several years.
Army Maj. Nikolaus J. Ziegler, military director of the Defense Information Systems Agency’s Innovation Office, said DISA is leading the department’s effort in developing a way to authenticate users’ identity through commercially available technologies that meet the department’s security parameters.
“We’re looking at how we can get a mobile platform, whether it’s a ‘bring your own device,’ or a government-furnished piece of equipment, that has [access to multiple levels of classification],” Ziegler said, during AFCEA’s TechNet Cyber 2019 in Baltimore May 14.
Ziegler’s office is part of DISA’s Emerging Technology Directorate, led by Systems Innovation Scientist Steve Wallace. That directorate is tasked with identifying commercial technologies capable of integrating with DoD’s various information technology (IT) environments.
Ziegler described DoD’s current authentication process, which uses Common Access Cards (CAC) and PINs, as less secure than the targeted end-state because current protocols do not require continuous revalidation for users accessing the network.
Wallace expressed similar concern in an article published by Federal News Network, but suggested the agency could leverage continuous behavioral authentication for validation.
“The reality is the CAC is a point in time type of deal. I stick my CAC into a machine, I punch in a PIN and I’m authenticated at that point in time.” Wallace said.
To improve the validation process, the agency will implement hardware attestation on its future devices and use continuous multifactor authentication (CMFA) to achieve assured identify -- the concept of establishing and continuously validating a users’ digital identity.
Hardware attestation is a mechanism for providing cryptographically signed and encrypted data that describes the security state of a device that is about to receive security credentials, while CMFA uses an algorithm to analyze biometric factors, such as face, voice, and gait.
Ziegler explained the ultimate goal of DISA’s alternative authentication processes is a seamless, frictionless, one-mobile device environment, which enables users to access any DoD network, whether in a “boardroom or a battlefield,” using the same device.
The agency demonstrated hardware attestation and CMFA capability by creating a credentialing token on a mobile device, which it used to access a laptop via a low-powered Bluetooth connection, he said.
Ziegler said the process involved an unclassified mobile phone and provisioned laptop. After placing the phone within close proximity to the laptop and pressing the space bar on the laptop, the exchanged token data enabled the user to authenticate into the laptop. Moving the mobile device away from the laptop automatically removed user access and locked the laptop.
In addition to hardware attestation and CMFA, the agency is exploring commercial solutions to assist in the validation process.
In 2014, DISA added Android’s Knox container to its approved product list. Knox is a multi-layered security platform that offers data encryption and isolation. Ziegler said DISA is exploring ways to use the Knox platform to integrate wearable technology into its identity validation process.
He said wearable technology could be valuable on the battlefield, providing continuous multifactor authentication from the moment the user puts the device on in the morning to the moment they take it off at night.
Ziegler said the agency is exploring acquisition processes to help bring these alternative authentication capabilities into the DoD enterprise as quickly as possible.