Line 3 Copy 3 Created with Sketch. Back to blog

Building the Government a Passwordless Foundation

November 12, 2020 / Guest Author

by George Avetisov, HYPR CEO

Passwordless technology is picking up steam in the private sector.

Microsoft reports that as of 2020 — on their Windows platform alone — more than 150 million people per month are using passwordless methods.

In the last 12 months alone, more than $100 million in venture capital funding has been invested in passwordless technologies. HYPR’s True Passwordless™ authentication technology has been deployed to millions of users across the Global 2000.

That’s why HYPR believes this is The Passwordless Decade, and in the next 5 years, passwords will no longer be the primary authentication mechanism.

Passwordless is the #1 trend in enterprise cybersecurity, but where are the headlines about the public sector? Is this a trend being overlooked by the federal space?

The Government Has the Building Blocks

Both HYPR and Dcode hear the same tirade over and over: the federal government moves slowly and favors legacy technologies. But that’s not always true, especially when it comes to passwordless authentication.

The federal government might even be ahead of the game here in many ways, already using key building blocks of passwordless technology. Now, the government needs to put those blocks together.

Smart Cards, CAC/PIV Cards, PKI

First, let’s look at smart cards — the original “second factor” that the federal workforce uses for higher assurance authentication and access.

Smart cards have been used in federal agencies for decades for both workstation login as well as physical access.

Types of smart cards already in use in the federal government are:

  •  The Common Access Card (CAC) is used throughout the government across active-duty uniformed and civilian personnel working in mission-critical settings. The CAC has been in use since 2001, long before businesses learned how to turn a smartphone into a smart card.
  • The Personal Identification Verification Card, or PIV Card, is another widely used authenticator. The PIV card has been synonymous with Public Key Infrastructure (PKI)-based authentication. The PIV Card is similar to the CAC, however the PIV Card is for non-uniformed, non-Department of Defense, civilian employees. One of the PIV Card’s electronic features is a certificate and key pair. It’s used to verify the integrity and validity of the credential.

Smart cards have been around since the late 1960s, and as of 2015, 10.5 billion integrated circuit cards are produced annually, including 5.44 billion SIM card IC chips. The federal government, despite its CAC use, gets little credit for being where many private sectors have been reluctant to be.

When used for authentication, an employee’s identity is tied to company-deployed smart card, which has an embedded chip that is capable of storing and presenting cryptographic keys. This challenge-response authentication flow is similar to that of a “True Passwordless” login.

The National Institute of Standards and Technology (NIST) reports that 5 million PIV Cards are used at any given time for access and multi-factor authetication (MFA) to federal resources, including the PIV-I Cards that contractors use. Thales, which manufactures the CAC, says the same of that credential, however the number is 4.5 million.

Smart-card enforcement is a key building block of passwordless authentication. When enterprises roll out passwordless authentication they do so by enabling smart-card enforcement at the Windows level. This is something federal agencies have done for years that is now being widely adopted at scale across the private sector for the purpose of eliminating passwords. So, when you think about it, the smartphone is now replacing the smartcard.

Biometrics & Multi-Factor Authentication

Building upon the smartcard foundation is essential to truly become passwordless — and that’s where biometrics play a role. Just as with the smart card-based authentication mentioned above, our federal government has been using biometrics well before the emergence of Touch ID, Face ID and Windows Hello.

In their FY20 report on Major Biometrics & Identity Management Initiatives, the Institute Defense and Government Advancement (IDGA) breaks down how the federal government will spend billions of dollars on biometric technologies— showing the federal market certainly has an appetite for alternative solutions to questions of identity and authentication.

The CAC and PIV Cards are photo credentials as well as PKI and certificate-based credentials — and when combined with biometrics, the federal government can marry two well-established technologies to achieve multi-factor authentication (MFA), something the private sector already does with great success.

While the government has been slower to implement newer, cutting-edge MFA, the original multi-factor authentication actually began in the public sector and only then did American enterprises adopt the new technology. In the federal government, citizens using the novel identity federation website Login.gov are asked to select from among a variety MFA methods including SMS/text messages (since deprecated by NIST as insecure), telephone calls, mobile apps (e.g. Google Authenticator), hardware security tokens, or backup codes. The uniformed services and federal civilian employees can also use their CAC or PIV or cards.

Where Passwordless Tech is Headed

To move forward with a passwordless vision, the federal government needs to leverage smartphones for MFA, first for employees and later for the public. Smartphones are intrinsically multi-factor security experiences as the device and its features combine possession, knowledge, and inherence factors — and they have all of the CAC/PIV Card features such as integrated circuits and secure elements.

A signal that passwordless is ready for government, and government for it, is the establishment of true passwordless open authentication standards such as those of the Fast Identity Online (FIDO) Alliance, a consortium of technology’s best and brightest who have aligned to reduce our over-reliance on passwords and other shared secrets. In 2015 long before NIST published a guide for ecommerce MFA recommending FIDO, NIST joined the FIDO Alliance.

(Disclosure: HYPR is a board member of the FIDO Alliance.)

What’s Next for Our Government?

Passwordless login methods come in many different form factors. From Windows Hello and security tokens to Touch ID and Face ID-enabled smartphones, these ubiquitous devices are already in the hands of millions of employees and contractors across the public sector.
The reality is that passwordless authentication by today’s inclusive, legitimate definition has not yet been deployed at scale in our government. In fact, most employees still have many passwords.

But the fundamental building blocks of passwordless MFA have been used in our federal government for decades.

Open standards such as FIDO2 are the sign of a maturing industry and make the larger adopters who resist new technology more comfortable. Just last month the NSA recognized FIDO2 Security Tokens as a key method. In 2021, we’ll see some large enterprise deployments that will be hard to ignore by the government. They will be catalysts for many other large enterprise deployments that follow.

We predict our federal government will start combining its comfort with what it knows of passwordless with what it hasn’t yet implemented: smartphones as smart cards, first in the civilian workforce. Time will tell but certainly we already see the signals, precedents, and resources in place to make it happen.

The passwordless devices are already there, now they just need to be utilized. The next question: which agency will move first?

Government leaders, learn how to get started with emerging tech like HYPR at the GovHub here

About the Author

George Avetisov is Cofounder and Chief Executive Officer of HYPR, responsible for strategy and execution of the company’s vision. George sets forth the product and technical direction of the company, architects sales and marketing strategies, and works closely with team leads to build strong company culture. Under George’s leadership, HYPR has grown to become a leading provider of decentralized authentication with millions of users secured across the globe. Named Forbes 30 under 30 in 2018, George brings with him a decade of experience in e-commerce, digital payments, and fraud prevention that have served as the foundation for HYPR’s vision.