Entrust to add support for YubiKeys with PIV – Yubico

Jeff Frederick

Jeff Frederick

5 minute read

Today marks an important day for expanding Yubico’s reach to support the growing requirement for Government agencies to issue government credentials beyond Personal Identity Verification (PIV) cards. We are celebrating that our partner Entrust will soon launch support for derived PIV credentials for YubiKeys. Customers will be able to take advantage of YubiKeys with derived PIV credentials using either Entrust’s Managed PKI service or Identity platform. 

Entrust Identity is an integrated IAM (Identity Access Management) platform that supports a full suite of workforce, consumer, and citizen use cases. YubiKey support is included with Entrust Identity Enterprise. As well, Identity Enterprise joins Identity as a Service and Identity Essentials as part of the Works with YubiKey program.

With Entrust support for YubiKeys, government agencies will be able to issue YubiKey 5 Series and YubiKey 5 FIPS Series with derived PIV credentials to employees instantly, remotely, and at scale. 

“Extending support of Personal Identity Verification (PIV) for Yubico is a critical requirement for our mutual customers’ success,” stated James LaPalme, VP and General Manager, Identity Business Unit, Entrust. “We are pleased to work with Yubico to help government agencies realize strong purpose-built authentication that is also mobile friendly.”

The United States Federal Government has been issuing strong cryptographic hardware authentication devices to its civilian employees and contractors for more than 15 years. These devices, called PIV cards, combine a strong Public Key Infrastructure (PKI) credential with a robust identity proofing and background check process on a physical smart card. Issuance and use of the PIV card is mandated by a number of laws, regulations, and mandates for all Federal employees and contractors who need to access Federal Government IT systems, applications, and data. As a result of the intensive identity proofing process, the PIV card issuance process provides a strong anchor that can be used to assert an identity. 

Unfortunately, while providing a high level of security, the smart card form factor presents a number of barriers for today’s mobile and desktop environments. Smart cards must be used with a smart card reader during the authentication process, creating challenges while using PIV cards to authenticate to portable devices and tablets. Furthermore, external smart card readers can introduce additional complexity to use and are expensive to deploy and maintain at scale. 

Adoption of smart card form factors has also been limited for teleworkers as highlighted by COVID-19, where usage of employee’s personal devices to access government networks and applications remotely has increased, thus requiring the need for yet another external smart card reader for users personal laptops and desktops. 

To address the above issues, NIST developed guidance around the issuance of Derived PIV credentials in Special Publication 800-157. A derived credential is an alternate credential that is “derived” from the eligibility for a PIV card. To date, these derived credentials are normally PKI certificates stored on mobile devices, but this can present security concerns when stored on non-GFE (government furnished equipment) that are not actively managed or patched.

Why should derived PIV credentials be on YubiKeys and how can this fit into the recent Biden Executive Order?

Storing a Derived PIV credential on a hardware security key, such as the YubiKey 5 FIPS Series, provides the following important benefits.

  • The private key resides on the YubiKey, purpose-built external authenticator that is solely focused on authentication and encryption that minimizes the attack surface.
  • The credential can be generated on the YubiKey, keeping the private key secure, versus generating the credential elsewhere and importing it onto a mobile device.
  • The external authenticator can be validated at a higher authenticator assurance level than offered by a mobile device. The YubiKey 5 FIPS Series is FIPS 140-2 validated Overall level 2, Physical Security Level 3 (Certificate #3914). 
  • The YubiKey with the loaded credential can act as a portable root of trust, enabling remote and teleworking employees and contractors to securely authenticate to government networks and applications via Bring Your Own Approved Device (BYOAD).
  • YubiKey’s latest form factors with USB-C, lightning, and NFC allow for the ‘tap-and-go’ usability needs of mobile users by easily and seamlessly enabling authentication across multiple devices such as desktop computers, laptops, mobile devices, and tablets.
  • YubiKeys don’t require batteries or a network connection, are crush resistant, waterproof, and dustproof, making them ideal for front-line and off-site focused work scenarios. 

We are also extremely excited that this integration with Entrust comes at the heels of our YubiKey 5 FIPS Series launch that enables our customers to meet the requirements for Authenticator Assurance Level 3 (AAL3) as defined in NIST SP800-63B. Being able to be secure and compliant with this partnership has never been easier, we are confident this will bring a whole new scale adoption to help secure Federal infrastructure and data.

PIV alternative, PIV derived credentials, and FIDO2

In addition to PIV and derived PIV support in Identity Enterprise, Entrust also supports FIDO2 credentials with Identity as a Service. FIDO2 credentials, similar to PIV, leverage asymmetric cryptography providing strong hardware-backed authentication. Entrust’s Identity as a Service offering allows users to register a FIDO2 credential that is securely stored in a YubiKey. Leveraging the same YubiKey for PIV and FIDO2 credentials, integrated into the Entrust Identity platform, provides for a wider range of strong authentication across a user’s access landscape reducing the reliance on weaker forms of authentication.

To learn more about Entrust-derived PIV credential issuance with YubiKeys, please contact us and attend our joint webinar “Strong Authentication for U.S. Government Employees” on July 28, 2021, at 11:00 a.m. EST (8:00 a.m. PST).

, ,
Talk to our teamTalk to our team

Share this article:
  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU
  • Securing critical infrastructure from modern cyber threats with phishing-resistant authenticationAcross the globe, 2024 has seen a whirlwind of change. With ongoing wars, recent political change-ups and more, growth in data breaches targeting critical infrastructure continue to be on the rise. Critical infrastructure is integral to our everyday life – from the energy and natural resources powering our hospitals and providing clean drinking water, telco […]Read moreCISAcritical infrastructurezero trust