The National Institute of Standards and Technology issued a draft of FIPS 201-2, the revised smart card specification for government employees. Comments on the draft will be accepted through early April.
The revised standard includes changes to biometrics and other authentication mechanisms for physical access control. PKI at the door has long been discussed as an option for PIV and this standard would seem to embrace that.
Card issuers would require an asymmetric card authentication key for the credentials. “The card authentication key—and certificate—are currently optional,” says Bob Fontana, president at Codebench. “This allowed millions of cards to be issued that can’t be used at door readers because they lacked the necessary authentication components. As FIPS 201-2 compliant PIV and PIV-I cards begin to proliferate and replace expiring FIPS 201-1 cards, this problem will solve itself.”
The draft also paves the way for new biometrics. Match-on-card biometrics, where the identifiable information never leaves the card, is added as an authentication mechanism. Also, iris images can be used when reliable fingerprint images cannot be captured, the draft states.
There are also revisions to a section of the original standard that would enable inclusion of other applications. This may allow agencies to add other secure applications, such as transit or payment, to the PIV credentials. The U.S. Department of Defense is an advocate of adding both of these apps to the IDs.
While the additions seem positive, there are concerns in the industry that a revised standard could delay current deployments, says one industry source.