Army Authentication Tokens Not Just for Tactical Use
Researchers develop technology no one else knew was needed.
The U.S. Army’s wearable authentication tokens intended for the tactical environment could be used for nontactical purposes, such as accessing strategic-level systems, enterprise networks and medical systems, researchers say.
The Army Futures Command announced last October that it is developing wearable identity authentication and authorization technologies that will enable soldiers to securely access network-based capabilities while operating on the move in contested, threat-based environments. The tokens will essentially contain the same digitized information included in the common access card (CAC), which has served as the de facto, governmentwide standard for network and system security access control.
While CACs work fine in garrison or office environments, they are not operationally suited for use in every environment, Army officials say. First of all, CACs require card readers, which are not necessarily designed for harsh environments, such as deserts, where sand can cause damage. Also, users can forget the cards in the readers when they leave, potentially allowing unauthorized personnel to gain access. Identification and authentication in a tactical environment presents significant challenges, explains Ogedi Okwudishu, who leads tactical public key infrastructure and identity credential and access management research for the Cyber Security and Information Assurance Division, Space and Terrestrial Communications Directorate, within the Command, Control, Communications, Computers, Cyber, Intelligence, Surveillance and Reconnaissance (C5ISR) Center.
Additionally, soldiers often have to use different authentication processes depending on whether they are logging into Windows or Linux systems, classified or unclassified networks. Those processes also can vary depending on the type of system—operating systems, servers, laptops, applications, web services, radios, weapon systems and handheld devices, for example. And different echelons can require different processes as well.
Those issues lead to soldiers taking shortcuts. “All of these complexities made authentication a huge challenge, where soldiers would all use the same password, which we all know is really highly insecure,” Okwudishu says.
To solve the problem, Okwudishu’s team turned to industry. They reviewed 688 different commercial solutions from about 300 different vendors and found not a single one that worked. The researchers realized they were dealing with a problem no one else had attempted to solve and began searching for a solution under the Tactical Identity and Access Management, or TIDAM, program.
“Ogedi talked about how they surveyed the entire commercial world. It turns out that [companies] don’t really have this use case and have not developed technology specifically for this use case,” says John Howard, who leads the Soldier Identification Project.
The TIDAM program has since transitioned to the Soldier Identification Project under the Program Executive Office (PEO) Soldier, which aims to rapidly deliver technologies and solutions for warfighters. The program executive office envisions a future in which soldiers are connected with so much electronics and communications technology they essentially become a system of systems requiring cybersecurity for each individual.
Specifically, the researchers are working with the project manager for the Integrated Visual Augmentation System, or IVAS. In the meantime, the directorate is developing a wearable authenticator software provisioner that will enable the secure placement of credentials on the wearable tokens and the ability to do so “locally” at the brigade level or below.
Although the technology is tackling the toughest possible challenge—identification and authentication in a tactical environment—the technology will likely not be limited to combat systems, Howard indicates. “Our sponsors at PEO Soldier will be able to say they are solving this in the most difficult environment, but our intention is to make sure that it’s not a point solution for that tactical environment. It’s something that can be used everywhere. And they really do believe and take the responsibility to make sure that the technology can be used everywhere, and they believe it will be used everywhere,” he asserts. “What we’re actually intending to do is to tackle the most difficult problems, which is the dismounted individual soldier in the field and then provide technology that can be used across the entire Army enterprise, from tactical all the way up to the strategic level.”
He cites the PEO for Office Enterprise Information Systems as one organization expressing interest. “They do the high-level enterprise systems. They use the common access card for access to do that, so, they don’t have the drive like we do for tactical, but they’ve made it absolutely clear to us that if we solve this, if we figure out how to do this, they’re going to use it.”
He reports that the Defense Manpower Data Center that issues the CAC also is interested. Additionally, the technology could benefit the medical community. “A doctor going around a Veterans Affairs hospital being able to have a wearable authenticator, not a smart card—of course they want to use it.”
Okwudishu agrees that interest has been widespread. Some, including organizations from the other military services, came calling after reading the original Army announcement. “We’ve talked to other groups and services who reached out,” she says, adding that some are eager to evaluate and critique the prototypes. “A lot of them are waiting for the prototypes to come out to see what this will look like and what it will do.”
Because industry has not yet addressed the challenge, the Army researchers are developing prototypes themselves. They envision soldiers approaching a system and receiving a prompt from the system to verify their identities and then another prompt to use either a personal identification number or a biometric signature to log in. They also could be automatically logged out again as soon as they walk away.
The formal name for the prototypes is Wearable, Wireless, Public Key-based Authentication Token. But rather than attempt a tortured pseudo-acronym such as W2-PKAT, Army officials have decided to go with the sensible “wearable token” as a shortened version of the name.
The prototypes will integrate public key infrastructure encryption found in CACs with wireless payment technologies similar to those developed by Google and Apple for mobile devices. The toughest challenge, the part no one has yet tackled, involves securing the wireless connection before the soldier actually authenticates.
“The big technical challenge for the project is how to make that secure, wireless connection. That’s really what the project’s about,” Howard explains. “When we started the project, we were not sure we could actually technically do it. We’ve been working for a while on trying to solve those technical problems, and we believe at this point that we have solved them. We’re much more confident in this project now.”
The plan is to develop government prototypes for the technologies at the heart of the token, seek soldier feedback and perhaps next year turn to industry for a final solution. “We decided to do a series of government prototypes to work through the technical issues. And then we’re going to hand all of that information over to the commercial world and ask them to produce something—prototypes that would actually work in the tactical environment,” Howard adds.
The government prototypes will use Bluetooth, which Howard says is more secure than many people might believe, along with government-developed technology. “We’re looking at having multiple versions of the wearable authenticator, government-produced. We’re not only going to be using Bluetooth, but we’re going to be using other wireless technology that’s being produced by C5ISR. We’ll bring that in. It’s going to take us a little while to incorporate that,” Howard elaborates.
Okwudishu emphasizes that the tokens ultimately will save the Army time and money. That’s because tactical platforms will not need to be retrofitted with specialized equipment to read new identity authentication technologies. Retrofitting would be costly, but is not necessary because the wearable tokens use existing communication and protocol capabilities, Okwudishu pointed out.
Both Okwudishu and Howard also stress the benefits of being able to distribute the tokens at the brigade level or potentially lower. A soldier in need of a new CAC, or one who just needs to reset the personal identification number for the CAC, has to travel to a Real-Time, Automated Personnel Identification System (RAPIDS) facility. There are only about 500 around the world, Howard estimates, and the procedure calls for a background check and various other requirements so the process is not as quick as the RAPIDS acronym implies.
The wearable tokens, on the other hand, are only given out after the soldier receives a CAC, so the background check and other requirements will have already been met. “You already have a common access card. Once we know that, we can give you a wearable authenticator. But the wearable authenticators are intended to be distributed in the field and provisioned in the field. So, the unit at least to the battalion level…will have a provisioner and a boxful of these wearable tokens,” Howard states.
Army officials have said they would like to field the tokens in the 2022 fiscal year, but Howard indicates the actual schedule is “as quickly as possible.”
The timing, he notes, will depend largely on the PEO Soldier office and Army Futures Command. “We’re working for an organization—C5ISR is part of Futures Command—and the project is being funded by PEO Soldier. They’re a no-nonsense bunch. They want to field this technology immediately,” he says. “The intention is to do what it takes in order to get this fielded as soon as possible.”