Federal ID Credential Security Standard Strengthens Authentication, Extends To Mobile Devices

The National Institute of Standards and Technology (NIST) has issued an updated version of the standard specification Personal Identification Verification (PIV) Card that federal employees and contractors use to enter government facilities or log on to federal computer systems.

The revised Federal Information Processing Standard (FIPS) 201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors provides a stronger authentication credential that combines new technology, including enhanced support for mobile devices and lessons learned from federal agencies.

"Offering a strong credential provides better identity assurance as to who you are," explains Hildegard Ferraiolo, a NIST computer scientist who co-authored the document. "The standard can be updated every five years, if needed, and agencies wanted to incorporate their years of experience in a fresher revision."

The original FIPS 201 document from 2005 required all PIV cards to contain an integrated circuit chip for storing electronic credentials and protected biometric data—fingerprint specifics and, optionally, a photograph.

The FIPS 201-2 revision includes adaptions to changes in the environment since the original FIPS 201. It does not require existing cards to be replaced. Close to 5 million cards have been issued to date.

New FIPS 201-2 capabilities include:

• derived PIV credential option for use in mobile devices such as mobile phones and tablets for improved security;
• optional on-card fingerprint comparison capability that offers additional privacy because the reference data never leaves the card*;
• use of a person's iris pattern as an optional biometric; alone or in conjunction with fingerprints, for stronger authentication *;
• secure messaging through a protected channel between cards and readers as an option; and
• remote updating of a card's credentials to save the time and cost of the cardholder traveling to an issuer site.

The new version of FIPS 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, is available at http://www.nist.gov/manuscript-publication-search.cfm?pub_id=914530.

The specification of the optional iris biometric is based on the ISO/IEC 19794-6 iris biometric standard published in 2011. These specifications can serve other iris-based authentication uses cases beyond the PIV program. The on-card fingerprint comparison may be used as an alternate to the Personal Identification Number in use currently. More information on these options can be found in the recently published, Biometric Data Specifications for Personal Identity Verification (NIST Special Publication 800-76-2). This publication is one of several that provide guidance to support FIPS 201.

Technical details for FIPS 201-2 PIV cards are published in a draft special publication Interfaces for Personal Identity Verification (3 Parts) (NIST SP 800-73-4). A draft of a new Special Publication 800-157 on derived PIV credentials for mobile devices is being prepared.