Derived credentials, beefed up contactless, post-issuance updates added
The latest smart card specification for U.S. government employees was released by the National Institute of Standards and Technology. Federal agencies will have 12-months to issue cards that comply with the revised standard.
As expected, FIPS 201-2 will enable derived PIV credentials on mobile devices as well as a virtual contact interface that expands the functionality of the contactless portion of the card, says Hildegard Ferraiolo, a computer scientist in the Computer Security Division, Cryptographic Technology Group at NIST.
The derived credential specification will be detailed in a special publication due out soon, Ferraiolo says. At a high level the derived credential will enable an agency to place a type of PIV credential on a mobile device so the user can access enterprise application, virtual private networks or other uses.
The virtual contact interface will play a role with mobile devices as well. This interface will enable some of the contact functionality of the credential on the contactless interface. A special publication detailing this portion is being circulated as a draft.
One possible use for this could be the tapping of a PIV onto a NFC mobile device to gain access to secure networks and services, Ferraiolo says. “It’s taking advantage of the NFC channel,” she explains. “The virtual contact interface will protect that channel if it’s used with the mobile device.”
FIPS 201-2 mandates that the cardholder’s facial image be placed on the smart card, Ferraiolo says. The facial image could then be used at guard checkpoints and for automatic comparison when reissuing credentials. Facial images were an option in the previous specification.
The spec also offers iris biometric and match-on-card fingerprints as additional authentication options.
The new spec also enables post-issuance credential updates, Ferraiolo says. Agencies had run into problem because digital certificates on the device would expire before the card and post-issuance updates were not enabled.
FIPS 201-2 also lessens reliance on the Cardholder Unique Identifier and puts the focus on the Universal Unique Identifier, which will bring the PIV and PIV-I closer together.