|
It seems that these NIST
researches agree that "badges" and "computer access credentials" are
probably from a distribution point of view an ideal "combo", while
actual usage may often point in another direction. E.g.
USB is standard equipment in personal computers while dedicated card
readers are not.
Some other comments to this very
interesting report.
A mobile device may also be
"personal"
The report builds on the [implicit] assumption
that mobile devices are deployed in the same way as traditional computers.
This is often the case, but there also is a growing class of users (including
myself), for whom the mobile device is actually "personal", even when used in a
professional context. In this case, the mobile device may also
function as the "second factor" in a two-factor authentication scheme.
In
such scenarios where the mobile device indeed is personal, the need for a
removable card becomes less obvious. This opens the possibility of
exploiting built-in TPMs (Trusted Processor Modules) as an alternative to
adding external smart cards.
A TPM is in fact already a part of Intel's
PXA270x processor line featured in Dell Axim PDAs. However, this TPM is
currently disabled but it is mainly due to the fact that Microsoft have not
yet integrated TPM support in Windows Mobile.
A major advantage of TPMs is that they can host
virtually any number of credentials as well as
simultaneously supporting different authentication technologies
ranging from One Time Passwords (OTPs) to PKI. TPMs can also
support hard disk encryption making device loss and theft considerably less
dramatic.
New life for
PIV
Does all this invalidate PIV? Not at all,
but PIV may long-term become more important for authentication to the CA
for generation and distribution of additional PIV "clones", than as a
primary logical access token.
regards
Anders Rundgren
Member, TrustedComputingGroup /
Mobile
|