Public Key Infrastructure (PKI), in the early days of the Internet, was touted as the most secure way to authenticate users, devices, and documents. IT decision makers began to investigate, and many articles were written then, quite suddenly, there was a large media backlash against PKI.
Julian Lovelock, Senior Director, ActivIdentity (part of HID Global) explains: “It was a sledge hammer used to kill a fly. It was arbitrarily complex and required labour-intensive key ceremonies with other organisations to deliver some features such as encrypted or digitally-signed email. It was overly complex for mere mortal IT professionals, and surely there were simpler methods of authentication such as OTP that enterprises could use. PKI became almost an IT bogeyman!” stated Julian Lovelock.
“But then a funny thing happened. First, PKI was adopted by governments and powerful credential management software (CMS) was created to automate much of the credential issuance, update and revocation process,”
“Ecosystem vendors such as Microsoft, Juniper, and Cisco built PKI support into their offerings. CMS software eventually made its way into appliances that could provide a much simpler “sweet spot” PKI solution for “closed-loop” PKI (Issuer and Authenticator are part of the same organisation hence greatly reducing the number of parts in the system),” continued Julian.
“Secondly, security threats began to attack aspects of the most common OTP (e.g., the recent breaches against security vendors and government agencies), causing enterprises to wonder what better authentication methods are out there.”
Today, PKI is getting a second look. Many people still have a knee-jerk suspicion that PKI was designed to make them feel stupid, but modern closed-loop PKI managed by an appliance does just the opposite. New CMS appliances make it so IT doesn’t even have to understand PKI to deploy a military-grade smart card solution.
Julian Lovelock continued: “In retrospect, as an Internet Meme, PKI suffered from hype before the tools were in place to manage it, and from security experts getting over excited and describing the ultimate PKI solution possible, even though few Enterprise users needed some of the more esoteric, complex and labour-intensive features. When PKI vendors got carried away educating users about every possible use case, they turned potential users off of the most high-value, low-cost use cases,”
"If I were to tell you I could give you a device that you just plugged into your PC, it worked like an ATM card and gave you secure access to PCs, networks, cloud applications, and VPNs, you would probably think, "Hey that sounds easier for users than clunky OTP tokens, how do I get that?" This is not your father's PKI!" concluded Julian.