PIV credentials can now be used with mobile devices
Connecting state and local government leaders
The latest revision of FIPS 201, which sets the requirements for PIV cards, includes credentials for mobile devices and new interfaces to enable access with contactless connections.
Standards for the Personal Identity Verification Card issued to government workers and contractors have been updated to accommodate the increased use of mobile devices in the workplace and the growing variety of functions that the cards can access.
The changes, included in latest version of the Federal Information Processing Standard for PIV Cards (FIPS 201-2), allow the creation of electronic credentials derived from PIV cards in a variety of form factors for use with mobile devices. The PIV card itself will continue to be in the standard smart card format and include biometric data as well as digital certificates for signing and authentication.
PIV cards now are in the hands of most federal workers and contractors, although supporting authentication systems for physical and computer system access still are being developed and implemented.
“This Standard specifies a PIV system within which a common identity credential can be created and later used to verify a claimed identity,” states the document, which was finalized Sept. 5. “The standard also identifies federal government-wide requirements for security levels that are dependent on risks to the facility or information being protected.”
The standards now allow a virtual contact interface for contactless connection, making it possible for the cards to be used with wider variety of devices. The standards also include the ability to issue electronic credentials derived from PIV cards. These credentials can be loaded onto mobile devices that do not have PIV card readers and used to verify identity when accessing government IT systems. When a PIV card is terminated, any derived credentials also are terminated.
Iris recognition and on-card fingerprint matching are new optional features in the standard for biometric authentication. Recent studies by NIST have found that iris features remain constant enough over time to meet the requirement the biometric features remain stable for 12 years.
One electronic feature of PIV, the Cardholder Unique Identifier, or CHUID, has more limited use under the new standards. This number is intended to be used to identify a specific card, but can only be used for access to functions at the lowest security level, which require little or no assurance of the identity of the cardholder. Because the CHUID does not meet NIST requirements for electronic authentication at Level 2 (some confidence of identity), the CHUID authentication mechanism has been “deprecated.”
“Deprecated features may continue to be used, but should be phased out in future systems since the feature will likely be removed in the next revision of the standard,” the document explains.
Although the authentication mechanism is deprecated, inclusion of the CHUID data element remains mandatory it the card.
The maximum life of a PIV card is extended from five to six years, and space is set aside on the physical card for orientation markers that can be used for compliance with Section 508 of the Rehabilitation Act, which requires that the cards accommodate persons with disabilities.
Creation of an interoperable smart ID card to be used for logical and physical access control was mandated in 2004 under Homeland Security Presidential Directive 12. The standards for the card are spelled out in FIPS 201 and technical specifications for implementation are published by the National Institute of Standards and Technology in its 800-series of special publications.
PIV standards initially were released in 2005 and updated in 2006. The current version was created as part of a regular five-year review and incorporates suggestions made on draft versions released in 2011 and 2012. The latest version supersedes FIPS 201-1. Replacement cards must implement new mandatory features within 12 months.