DOD approves new mobile security credentials

The Defense Department has taken another step toward wider use of mobile devices with the approval of security credentials for Android, Apple and Microsoft devices used by vendors and other DOD partners.

DOD has issued External Certificate Authority for Personal Identity Verification-Interoperable (PIV-I) credentials from Operational Research Consultants, a subsidiary of WidePoint, making ORC the first company to receive approval for the credentials, according to a company release.

The credentials can be used around the world by more than 40 million contractors, trading partners and others for secure access to some DOD information systems, the company said.

Approval of PIV-I credentials represents a step toward DOD’s goal of seamless mobile authentication, but the PIV-I credentials won’t replace Common Access Cards for admittance to the full range of DOD systems. In a 2010 memo directing DOD partners, installation commanders and facility coordinators to accept approved PIV-I credentials, the Pentagon said they could be used for access to websites, Web portals and applications but not for direct access to DOD networks such as the unclassified NIPRNet or the classified SIPRNet. They also cannot be used for physical access control where electronic ID systems aren’t in place. In both those cases, CAC authentication is still required.

DOD has been expanding its use of mobile devices for years, though the pace of the transition has been slowed by security concerns. Smartphones and tablets can use attached CAC readers, but those are considered to be clunky and impractical. Ultimately, DOD wants to use derived credentials—hardware or software tokens on a device—and/or some form of biometrics for authenticating mobile devices.

Meanwhile, PIV-I credentials would fill a void for private-sector partners, allowing for secure, interoperable authentication for a large population of users.