Modern authentication for the modern naval war fighter

Using the Common Access Card (CAC) for authentication is not practical or possible for every U.S. Navy employee, contractor, mission partner and Reservist. Guidance such as the National Security Memorandum/NSM-8, and more importantly, cyber attacks from nation-states to criminal organizations have mandated the DoD to deploy phishing-resistant authentication as part of a Zero Trust Architecture and created requirements to modernize authentication across the entire Department of Defense (DoD).

While CAC meets the highest assurance of MFA when using DoD Public Key Infrastructure (PKI), there are a growing number of scenarios that have the same assurance requirements where CAC is not available or practical. These scenarios include secure access for telework, BYOAD (Bring Your Own Approved Devices), non-CAC eligible coalition and mission partner environments, air-gapped/isolated networks, and tactical scenarios overseas where relying on a CAC may inadvertently reveal identities. For example, CAC reader support for mobile phones or tablets is limited or non existent, and teleworking with a CAC reader leaves the device open to potential malware.

There is a growing need for cost-effective, turnkey solutions to address the needs of today and future-proof against the authentication needs of tomorrow—including those currently under policy review by the DoD such as Fast Identity Online (FIDO) authentication standards.

Securing telework & BYOAD

Supporting teleworkers and BYOAD using the CAC creates complexity. While password-based authentication may simplify remote access, relying on single-factor authentication does not cater to zero trust security and phishing-resistant authentication requirements.

The YubiKey works with leading Identity and Access Management (IAM) and Identity Provider (IdP) solutions to enable phishing-resistant access for remote and hybrid employees without the need for supporting devices. In cases where remote and hybrid workers are sent GFE devices, the YubiKey can be used as a portable root of trust to ensure the device hasn’t been compromised en route.

Most Navy Reservists are not issued dedicated government furnished laptops/PCs or mobile phones to conduct official business. More and more, Reservists have to rely on personally owned devices to access Navy resources and services. The Navy has deployed amazing new capabilities such as Flank Speed 365 and Nautilus Virtual Desktop that make it easier for service members to access these services from home, but are still reliant on a CAC and a separate CAC reader. These readers are not always compatible with mobile devices and there have been cases of malware found in CAC readers. With a YubiKey, Reservists would be able to take advantage of a YubiKey with Purebred derived certificates to securely authenticate to Navy resources on any of their personal devices.

Securing privileged users

Ensuring secure phishing-resistant user access to classified, secret and personal information is critical for those privileged users that cannot use the CAC to authenticate. The YubiKey offers the highest-assurance alternate authentication that can be used to authenticate privileged users to both legacy and modern applications. The YubiKey’s hardware design enables the authentication secret to be stored on a secure hardware chip that cannot be copied or stolen, offering the highest security for authenticating privileged users. The YubiKey can be used for step-up authentication for high-security applications.

DoD O365 tenant admins cannot use their primary DoD credentials to authenticate for daily tasks and maintenance. Microsoft Azure supports the enrollment of a YubiKey as a FIDO2 authenticator. Admins are able to quickly enroll a YubiKey for their privileged user roles to meet phishing-resistant authentication requirements. A YubiKey as a FIDO2 token uses public/private keypairs, bound to the tenant URL, to ensure strong authentication is met.

Securing shared devices & workstations

Government workers that use shared workstations and shared devices such as tablets, can benefit from using the YubiKey as a portable root of trust for secure authentication They can authenticate to the network using the trusted smart card credential on their YubiKey, proving they are a trusted user.

A single YubiKey works across multiple shared devices including desktops, laptops, mobile, tablets, and notebooks, enabling users to utilize the same key as they navigate across devices. YubiKeys are also easily re-programmed, making them suitable for rotating-shift and temporary users across these environments.

The use of shared workstations and mobile devices are increasingly common across the Navy. By affording a pool of resources for maintainers, aviators, and crew, the Navy can lower the total cost of ownership of devices. However, shared devices still have the challenge of supporting multiple users, each requiring DoD credentials for authentication. By shifting the storage of the credentials from the device to a hardware-based authenticator, like a YubiKey, each individual can be issued a security key for authentication on any of the shared devices. Users do not have to worry about grabbing the right devices matching their stored soft credentials.

Securing mission partners

Coalition and Five Eyes (FVEY) mission partners use PKI credentials to authenticate to DoD systems, but are not always CAC-eligible. YubiKey is a solution that is managed at the unit level to support access to the data needed to conduct a mission, supporting strong, phishing resistant authentication for mission partners at the tactical edge.

A YubiKey, as a multi-protocol authenticator, provides flexibility and personalization to coalition networks that require DoD credentials for mission partners. Coalition networks can generate and manage local credentials, provision them to a YubiKey, and issue them to mission partners requiring access to DoD resources within a respective Area of Responsibility. This will ensure that only locally issued credentials can be used for authentication within the respective Combatant Command network. Additionally, options are available for the type of managed credentials—tactical PKI supports certificate-based credentials while other Identity Credential and Access Management (ICAM) components can issue FIDO2 credentials. Both types of credentials meet phishing-resistant authentication requirements.

Securing office workers

The Navy’s deployment of Azure Virtual Desktop (AVD), Nautilus, has been welcomed with open arms by Active and Reserve service members. Active Duty service members can easily use the YubiKey for access to AVD regardless of the device being used to connect. Having a provisioned YubiKey offers flexibility to use both an office desktop and personal laptops for access to AVD, providing a strong productivity workflow for daily tasks. The YubiKey comes in multiple form factors and can be used across desktops, laptops, and mobile devices without the need for an additional smart card reader peripheral device.

Securing non CAC-eligible users

Non-CAC eligible personnel such as dependents, contractors and other users that require 3rd party access still require secure access to U.S Navy systems. To meet these needs,the DoD approved the YubiKey as one of three alternate MFA solutions when PKI is infeasible—a FIPS 140-2 validated alternative to the CAC that allows non-CAC personnel or personal non-GFE devices in a BYOAD environment to securely authenticate to DoD networks.

Securing SCIFs & air-gapped networks

Air-gapped networks are closed off from the outside, making it difficult to authenticate users using data sent over a network. Many air-gapped systems still use a username and password or a combination of passwords and a digital identity. YubiKeys ensure that air-gapped networks stay secured against breaches by providing phishing-resistant MFA that works well in isolated network and mobile restricted environments as they don’t need any network connectivity, cellular connection, or batteries to work. YubiKeys are compatible with Cross Domain Solution (CDS) and Multi-Level Security (MLS), and users can be authenticated without transfer of information.