Certificate-Based Authentication for Okta PIV Cards

Jake Ludin Education

Certificate-Based Authentication for Okta PIV Cards

Efficiency is the name of the game when operating a wireless network. Designing every facet of the network with the user experience in mind will result in a streamlined system that works well for all that require access.

A wrench in overall efficiency is authenticating to the many web applications that an organization’s users require access to. Traditionally, web app authentication requires a unique and complex set of credentials to ensure only those with approved access can log in.

Unfortunately, this creates a situation where users are burdened with remembering several sets of credentials and leads to security risks and a poor user experience. An identity management company like Okta enables the use of one set of credentials to access each web app within the network, but this efficiency can be taken a step further by configuring users to authenticate with certificates.

PIV-Okta Credential-Based Authentication

Okta accomplishes this efficient authentication to web apps through the use of PIV, Personal Identity Verification. Each organization user is distributed a physical smart card configured with identifying information that is used for authentication. When accessing a web app, the user is prompted to provide the PIV card and it is authenticated if they are an approved user. For protection against theft or losing the card, many choose to use Multi-Factor Authentication and require a PIN number to access the card.

Each PIV card is associated with a set of Okta credentials to connect the card with the identity of the user. When configuring the PIV card for the first time, the user will enter their credentials to confirm their identity in the Okta identity management program. Once approved and configured, the card will be associated with that set of credentials.

After completing the configuration, each web app associated with the Okta identity management is quickly accessible to the user. They no longer have to memorize a unique password for each application; they simply open the application, display or insert the PIV card, and enter their PIN number. But even with the use of the PIV card, credential-based authentication is still an insecure process compared to certificate-based authentication. Can PIV smart cards be equipped with certificates for secure authentication?

PIV Supports Certificates

Attempting to manual configure PIV cards for certificates is known to be a complex process that isn’t user-friendly. The configuration process requires many steps and a high-level of IT knowledge to understand what each setting entails. It’s simply not feasible to expect the average network user to complete the process accurately on their own. Additionally, transferring the task to IT can be a momentous in scale, especially for a large organization with hundreds of users.

The certificate onboarding solutions offered by SecureW2 allow users to easily self-configure their PIV card in a few simple steps. Once configured, certificates can be set to expire years later, in contrast to credentials which must be updated every few months to ensure the safety of the network. And unlike credentials, certificates cannot be stolen and reused by any other person. Credentials can be used for access by any person that knows the username and password, while certificates are specifically tied to the identity of that particular user.

Configuring PIV Smart Card Application Authentication in Okta

The process to configure an organization’s PIV cards in Okta for certificate-based web app authentication is a non complex process and requires only a few steps to complete. Below we have detailed the process into the basic steps needed to complete the configuration:

  1. Begin by downloading the Certificate Chain from the Certificate Authority that issues certificates to the PIV cards
  2. Add the Identity Provider and specify the attributes that will be used to identify users
    • Determine the user attribute the certificate should use to identify the Okta user
    • Select the attributes to match the user against in the Identity Provider (ex. User email or Okta username)

The organization is now configured to distribute certificates to PIV cards and correctly identify Okta users when authenticating.

The process of manually enrolling certificates on PIV cards is an involved and mistake-prone process, especially if left for network users to complete. The process requires high-level IT knowledge to understand and presents many opportunities to misconfigure. To ensure every PIV card is accurately configured, many organizations utilize SecureW2’s JoinNow MultiOS onboarding software for streamlined configuration.

The JoinNow solution allows users to self-configure by completing only a few steps designed to simplify the user experience. The process is designed to enforce PIN and PUK requirements that can enroll certificates for any major OS by requesting users to provide identity context with their Okta credentials. Once completed the PIV card can be used for a number of authentication processes, including web application authentication. For more in-depth context, review our Yubico integration page for a look into the configuration process with SecureW2.


By providing PIV smart cards protected with certificate authentication, an organization is able to offer security without compromising efficiency. Certificate-based authentication protects against over-the-air attacks and prevents a user’s identity by being exploited by another. The ability to automatically authenticate several web applications with a single PIV card vastly improves the user experience and ensures your network is authenticating securely and accurately.

 


Learn About This Author

Jake Ludin