Years of action movies showing airtight security involving retinal scans and the like have conditioned us to hope for the best. This week, the US National Institute of Standards and Technology (NIST) is doing its part by issuing an updated version of the standard specification for Personal Identification Verification (PIV) cards that federal employees and contractors use to enter government facilities or log on to federal computer systems.
Nods to mobile security and stronger biometrics are the main changes.
Close to 5 million cards have been issued to date, based on the old standard developed in 2005. That required all PIV cards to contain an integrated circuit chip for storing electronic credentials and protected biometric data – fingerprint specifics and, optionally, a photograph.
The revised Federal Information Processing Standard (FIPS) 201-2 capabilities include: a derived PIV credential option for use in mobile devices such as mobile phones and tablets for improved security; optional on-card fingerprint comparison capability that offers additional privacy because the reference data never leaves the card; use of a person's iris pattern as an optional biometric; alone or in conjunction with fingerprints, for stronger authentication; secure messaging through a protected channel between cards and readers as an option; and remote updating of a card's credentials to save the time and cost of the cardholder traveling to an issuer site.
The specification of the optional iris biometric is based on the ISO/IEC 19794-6 Iris Biometric Standard published in 2011. NIST expects the FIPS 201-2 spec to serve other iris-based authentication uses cases beyond the PIV program. The on-card fingerprint comparison, meanwhile, can be used as an alternate to the personal identification number in use today.
Biometrics are playing an increasing role in security, access control, and identity management. Fingerprints are often used in conjunction with passwords for computer security, NIST explained.
Overall, the hope is to create a stronger authentication credential that combines new technology with lessons learned from federal agencies, NIST said. Existing cards don’t have to be replaced; but going forward any new cards will incorporate the new standards.
"Offering a strong credential provides better identity assurance as to who you are," said Hildegard Ferraiolo, a NIST computer scientist who co-authored the FIPS 201-2 document, in a statement. "The standard can be updated every five years, if needed, and agencies wanted to incorporate their years of experience in a fresher revision."