Department of Defense far from adopting biometrics for identity and access management
The Department of Defense is currently re-assessing and updating its Identity and Access Management (IdAM) strategy to improve its overall network access security without making the authorization process more difficult for authorized users, according to a report by C4ISR & Networks.
“We’ve looked at a number of different solutions, from biometrics to different kinds of encryption; there’s a whole spectrum of solutions out there,” said Michael McCarthy, director of operations and program manager for the Army’s Brigade Modernization Command.
But even with its significant development in the research of next-generation IdAM technologies, the DoD is expected to continue using its current common access cards (CACs) and personal identity verification (PIV) cards with laptop and desktop PCs for a considerable length of time.
Meanwhile, the Defense Information Systems Agency (DISA) are currently using next-generation mobile security programs, including the Defense Department Mobile Unclassified Capability for managing unclassified smartphones and the Defense Mobile Classified Capability program to approve secret and top-secret classified smartphone communications.
“The creation of these programs allows industry to develop working mobile device solutions capable of meeting the stringent security requirements for mobile device access to DoD enterprise networks, because they have published government security standards/specifications,” said Tony Crawford, director of C4ISR solutions for IT services provider CACI. “This saves time and money both for industry and the government client; ensures security controls are considered during the entire systems engineering process; and reduces systems development to fielding timelines to keep pace with a very dynamic operational environment.”
Despite biometric technologies being used as viable IdAM methods in other areas of the government, the DoD is still considerably far from approving biometric-based IdAM specifications or guidelines.
“We have looked at those technologies, but they’re not quite ready for prime time,” McCarthy said. “It’s possible that as the technology improves we might move to biometrics, because then we will be able do multiple levels of authentication on a single device.”
“Biometrics may play a critical role with derived credentials as an additional factor of authentication, especially with people complaining that a derived credential on its own is not an adequate form of two-factor authentication,” said Eugene Liderman, public sector product management director for mobile security company Good Technology.
Liderman added that while biometric technology could “layer in nicely” to serve as an additional authentication factor, its adoption will depend on “whether policy will allow biometrics or prohibit it”.