Latest PIV Standards Integrate MobilityFIPS 201-2 Provides Biometric Options for Stronger Authentication
New personal identity verification standards issued by the National Institute of Standards and Technology could make it easier for individuals to access sensitive files on secured IT systems from their mobile devices.
NIST says its revised guidance, Federal Information Processing Standards 201-2: Personal Identity Verification of Federal Employees and Contractors, furnishes a stronger authentication credential that combines new technology and incorporates lessons learned from federal agencies.
"Offering a strong credential provides better identity assurance as to who you are," says Hildegard Ferraiolo, a NIST computer scientist who co-authored the document.
Although NIST guidance is created for federal government agencies, it often is adopted by other governments - in the U.S. and abroad - as well as private-sector organizations.
Listening to Government Agencies
Under FIPS 201-2, mobile devices, such as smart phones and tablets, can be programmed with the revised standards.
Until now, departments and agencies faced limits on how employees could log in to their networks using mobile devices. For instance, mobile devices would need an attached reader to capture the PIV credentials. "Such solutions are not always practical or desired by federal agencies and departments," Ferraiolo says.
NIST, responding to requests from departments and agencies, developed the new PIV credential to reside on the mobile device, making it easier to authenticate services from mobile devices that access enterprise resources and portals. "The ability to authenticate to enterprise portals via the mobile device increases security," she says.
The revised guidance provides another way for personal identification information on a PIV card to be transferred to mobile devices. The standard also allows for a virtual contact interface, which uses near-field communications to establish radio contact between a PIV card and mobile device that are in close proximity, usually no more than a few inches. "In order to protect these credentials," Ferrailo says, "we specified a secure channel, so that the communication between the card and reader is protected and cannot be leaked."
The revised guidance describes a derived PIV credential option for use in mobile devices, such as smart phones and tablets, for improved security. A derived credential is based on proof of possession of a token associated with previously issued credentials.
Taking a Lead Role
Randy Vanderhoof, executive director of the Smart Card Alliance, an industry group that promotes smart-card technology, says mobile devices, with the proper chips, offer many of the same authentication features as those found in PIV and other smart cards.
"NIST is taking a lead role in helping trying to define that migration to mobile devices that can occur in a secure and interoperable way," Vanderhoof says.
Other new features in the revised guidance include:
- Optional fingerprint comparison capability on identification cards that offers additional privacy because the reference data never leaves the card;
- Remote updating of a card's credentials to save the time and cost of the cardholder traveling to an issuer site.
Nearly 5 million PIV cards have been issued to federal workers and contractors. The ID cards give them access to government facilities and IT systems, usually by swiping the card through a reader. In a year, new employees will receive PIV cards that use the revised FIP 201-2 standards. Replacement cards for current employees and contractors will be issued only when their cards expire or have been reported lost or stolen.
As technologies mature, what was once optional is now being required under the revised standard. With FIPS 201-2, agencies must incorporate asymmetric card authentication, digital signature and key management in their newly issued PIV cards. But agencies have the option to incorporate newer technologies, such as iris recognition capability and fingerprint biometrics, on future PIV cards.