Using PIV Cards for every Business

Personal Identity Verification (PIV) is an interesting standard. It emerged after September 11, 2001 in the United States as a means to increase security and the overall quality of identity management for Federal Government employees (first responders in NY were difficult to ID at the time). This included a bunch of business processes, but it also defined a new standard for smartcards - a lot of which was just visual standards so they all starting looking the same across all branches of Government, but it did bring in some technical specs that fixed a lot of woes for anyone setting up smartcards into corporate environments.

As is often the case with standards coming out of the United States government, most of us outside of the USA don't actually care about the standards and everything they require but our IT infrastructure still naturally supports them. Microsoft added support for PIV smartcards around the Windows Vista era, and it's still in every version of Windows today.

Why PIV Cards are Important

PIV fixed the most annoying part of trying to integrate smart cards - it got rid of the "middleware" part. With non-PIV cards, you typically need to install some piece of software on to the workstation you're integrating to enable it to communicate with the card. Sure, you can roll that software out easily to every workstation and server, but now your infrastructure has added a new dependency to that software, and if it doesn't work on newer versions of Windows or alternative platforms like thin clients - well, you'd better hope the company that made that software is ready to send you an update.

By getting rid of middleware, PIV smartcards are now automatically supported pretty much everywhere they need to be. Plug in a PIV card into any Windows machine, and any certificates that are installed on it are immediately available for use for logging on to VPNs, the desktop itself, web servers, remote desktop sessions, and much more. Take that same card to someone else's infrastructure, and it will still work.

Yubico did what I consider the smartest move with their YubiKey product line - they installed a smartcard capability into the YubiKey, and loaded a PIV applet into that smartcard. In most cases people don't even realise the PIV applet is there on the device as they're just using the OTP and FIDO authenticators, but it's there and it's ready to go.

Aren't smartcards dead technology?

I've seen organisations shudder at the thought of implementing smartcards today. The memory of trying to roll them out back in the early 2000's or even 2010's still haunts them, struggling with all of the integration problems that came up. Non-PIV cards were significantly cheaper than PIV cards at the time, so most customers were picking them and then grinding through the integration part, spending hundreds of thousands of dollars beyond their budgets as their project timelines would slide. And with a lot of big integration projects like that, blame is nearly impossible to attribute to one single person so everyone involved just decides to pretend like it never happened.

With a foul taste in their mouth from smartcards, along came OTP, SMS, U2F, and push notifications that solved all the organisation's MFA problems - often without them realising too, as some internal cloud team would set up Microsoft cloud services and naturally just enable the Microsoft Authenticator app for use without asking.

Smartcards never died though - they've only gotten easier to work with if you just keep it simple. Smartcards aren't the mechanism for multi-factor authentication, the certificates installed on them are. With the ever growing threats and ever growing connectivity to the internet for corporate services, the value of certificates is only going up. They can meet far more needs than just authentication, giving the ability to protect network connections, encrypt data, and authenticate to physical systems like buildings. Just look at how massive Let's Encrypt is today.

You'll be hard pressed to find a product on the market that doesn't support certificate authentication, and thus effectively supporting PIV cards. If there's a way to present the PIV card and its certificates to a system, then you've got an easy integration point.

PIV Issuance: The Hard Part

Whilst PIV smartcards are supported everywhere, there still remains a core problem - the PIV cards don't just issue themselves out to employees, you need some mechanism to actually configure them for use. Standards like FIDO U2F are trying to fix this problem but just taking the issuance out of the equation, but that doesn't work as well for businesses.

The PIV standard actually addresses issuance too - but unless you're a US Government agency you really don't want to try to follow that model. There is a ton of separation of duties for identity documentation checking, making the whole thing expensive and cumbersome (typical of US Government process). It's better to just keep it down to a few easy steps:

  1. Identify who you're going to give the PIV card to.
  2. Issue them a PIV card.
  3. Give them the PIV card, either by handing it to them while they're sitting next to you issuing it, or sending it out to them in the mail.

Identifying who to give PIV cards to

This is easy today - I would wager if you're running IT for a company, then you've got Active Directory. Congrats - you have a means of attaching people's identities to PIV cards.

Issuing PIV cards

This can be extremely expensive, or it can be extremely cheap. If you pick a full-blown PIV standardised issuance tool, then you're probably going to drop a few hundred thousand to get into the position to issue PIV cards. Usually these expensive tools are providing the full standardised workflow of PIV, in addition to actually configuring the cards, so if you're a US Govt agency you probably need this.

But for everyone else, all you need the assurance of is (a) that the PIV card is configured for use, and (b) that you can manage it if you need to later. If you're using actual PIV smartcards, i.e. the actual credit card-sized piece of plastic with a chip in it, then you might want something that can print on those too. Printing cards is a whole extra world of fun, but there are decent tools out there today that come with card printers. In fact, I'd recommend trying to decouple the electronic issuance from the printing process, so you get more options and flexibility. Organisations get scared by decoupled processes, as they think that there will be 50 staff needed 24/7 to handle the bulk issuance process during initial rollout, but that's rarely the case in reality - don't prematurely optimise.

Distributing PIV cards

In the past offices were small and you could just give everyone their PIV card when they arrived on Monday after you turned on MFA over the weekend. But better Internet connectivity and global pandemics are shifting the workforce - a lot of people are working from home, and they need MFA tokens now more than ever.

Different products offer different tools for distributing tokens. Never lose sight of the real goal though - all you need to do is get the token into the hands of the user, without any risk of it being compromised on the way. Smartcards by design have already handled this situation, as once they're configured and ready for use then they can just be sent to the user in any form of mail, even just regular post - as long as you don't send the PIN for the card along with it. If someone intercepted the PIV card, they've got 5 attempts to try to guess the PIN before the card is hardware locked, so you can be certain it's only going to get used by the intended user and tampering is obvious.

Integrating PIV Cards

So you've gotten past the first hurdle - you've bought some PIV cards, issued them out to your employees, and they've all got them and ready to go. What now?

Now you can start enabling MFA everywhere:

  • Enable MFA for your VPN - Cisco AnyConnect, VMware Horizen, Citrix Storefront, Microsoft Remote Access, and more all support certificate-based authentication.
  • Enable MFA for your Cloud services - usually I recommend using ADFS to do this, as I would wager you're already using it if you're a large enough business - if you've got ADFS set up for Certificate MFA, then you can just point all your internal apps to use it as an Identity Provider instead.
  • Enable MFA for your Web Applications - if you've got internal web applications inside your business, if they're running on IIS or Apache then you've got out-of-the-box tools for enforcing certificate-based authentication.
  • Enable MFA for your Windows Servers - you can do this for servers by enforcing at the machine level in group policy, or you can do it at the user account level. Usually I suggest setting it for machines, as the user account setting can have some unintended side effects.
  • Enable MFA for your Windows Desktops/Laptops - this is done in the exact same manner as the servers, but if you're really up to date with the latest and greatest tech you can even use them with Windows Hello for Business and ADFS.
  • Enable MFA for your Linux Servers/Desktops - yep, PIV cards work here too, but you might need to install some extra pieces (it's never quite a plug-and-play experience in the *nix world).

A huge reason I see MFA projects fail is because they try to tackle the entire corporate network in one go - they realise MFA is essential, and then simultaneouly try to integrate it with everything at once, or for every user at once. Panic ensues, critical systems break, and then the fear of breaking things takes over and the project stalls. And the MFA software vendor is happy as they still made the sale.

Don't make it complicated, just issue out the tokens to everyone first, and then start enforcing MFA to individual systems one by one. For servers you can just designate a small number of them to enforce it for first and let some admins start bumping into the smartcard requirement. They'll grumble and have problems, but after a couple of uses they'll have it figured it.

Then for web apps, it's super easy if you use ADFS - simply define app-specific policies for MFA enforcement. Pick an app that isn't used much, go through the user grumble stage, and then move on to the next one.

Users are going to suck at it to begin with. They'll forget PINs, they'll lock their cards, they'll leave their tokens at home. Don't overthink it and try to account for every possible user story - they'll learn from their mistakes. Look at office printers - a lot of people just figure out by blundering through how to operate them despite all the money wasted on training and help content, and there's usually someone on the floor who just shows people what to do if they get stuck because they were the first person to try to use the printer and figured it out.

Small and Large Businesses

I titled this article with every business for a reason - you don't need to be an office with hundreds of staff to get the value out of PIV cards. Big cumbersome PIV issuance tools are totally out of the price range for small businesses, but there is a cheap way to integrate PIV: YubiKeys.

I alluded to them earlier talking about how Yubico installed PIV applets onto YubiKeys - I think these are currently one of the best devices to secure small businesses. They're affordable, last for years and years, support multiple MFA protocols, and ultra cheap to configure compared to other PIV cards. Unfront they are definitely more expensive than credit card-style PIV cards, but you make the savings everywhere else in the management of them. To manage them, you have a few options:

  • Use Yubico's YubiKey Manager tool - this is free and provided by Yubico, just be sure you take care with the configuration, as forgetting to configure admin keys and PINs can leave your devices open to compromise. Or, if you lose those admin keys, you may not be able to recover a user's device if they lock their PIN.
  • Use Signata Enterprise - yeah, I've gotta plug it somewhere here. This is a company blog after all. Signata lets you issue out YubiKeys to all of your Active Directory users, loading them with certificates from your own internal PKI, and all the admin keys for your devices are encrypted and saved so you can manage your issued devices easily. Think of it like the business management capability that the YubiKey Manager tool is missing.
  • Use any of the other tools that are part of the Works with YubiKey program. There are a bunch of products that have added support for PIV issuance of YubiKeys, including full PIV compliance for the US Govt - I've used a few of them in the past (hit me up if you want my opinions on them).

If you go down the path of picking a big PIV issuance tool product, just be sure to keep an eye out for hidden costs. They'll start saying things like "yeah, it's only $2 per device managed!", and then throw in extra costs per instance of web server, instance of app server, instance of database server, per test instances, per user, per token, per year, custom features, local support, and so on. Big software vendors don't like YubiKeys that much as they last a really long time and are reusable, so they try to make sure you keep paying elsewhere with other spurious fees. One of my favourite gouging tactics is seeing "project management" fees for custom features being added to products by the vendor. Another is artificially time-limiting tokens, so the clock is ticking as soon as you make the purchase, even if your project isn't due for rollout for 6 months in the future.

Whatever path you take to set up MFA, I implore you look at PIV smartcards with YubiKeys. With Signata Enterprise you don't need to spend a fortune rolling them out to users, and you'll find PIV cards will meet the majority of your MFA needs immediately. If you're using YubiKeys, I'd wager the minority of systems that PIV smartcards can't work with will still be supported by the other protocols that the YubiKeys offer (e.g. PIV card logon to the Windows laptop and VPN, and then FIDO U2F to a corporate cloud service).

We built Signata Standalone edition too to let you manage all of your YubiKeys from inside your network, with no cloud-connectivity - a lot of customers I've worked with like this model, especially if they're working with classified material or have users in sensitive roles. Check it out today - we're getting very close to our cloud service launch too!

Timothy Quinn

Timothy Quinn

Managing Director of Congruent Labs