By Marisa Torrieri, Contributing Editor
Now that federal agencies are invested in the planned government-wide issuance of highly secure, interoperable smart card IDs, actually implementing the new system remains the biggest practical and technological hurdle.
“The card is only the first stage,” says Randy Vanderhoof, executive director of the Smart Card Alliance. “There’s a whole other phase – accessing the physical access control systems and integrating the smart card into the logical security and PKI infrastructure that many of the agencies operate.”
Many of last year’s hurdles revolved around learning how to implement FIPS 201, the technological specification developed by the National Institute of Standards and Technology. The standard is the backbone of the new Personal Identity Verification (PIV) smart cards. It is the synthesis of many different technological components: Physical access, logical access, biometrics and PKI, among others.
While the technical standards of the first mass implementation are pretty much set for the first round of PIV cards, getting the cards into use for physical access control in a timely manner poses a big challenge.
Curt Barker, chief of the computer security division at NIST, attributes this to the magnitude of the project, which involves making changes to old physical access systems and making sure the cards and systems are interoperable among agencies.
“The major hurdle right now is that there are a large number of what we call legacy cards – transition cards that are not yet interoperable with fully FIPS-compliant cards,” says Mr. Barker. “A lot of card readers handled an older technology that simply passed a numeric value that was 10 digits long. One of the challenges is accelerating the transition so that access to sites can be granted using PIV cards in the near term. The migration from the transition cards like the DOD card and the endpoint card is something people are working on pretty hard. When you have a lot of equipment that’s currently in place that can’t read the new cards, it takes time and money to replace.”
Smart card developers are keeping other concerns on their radar screen, namely possible future revisions of FIPS 201.
Walter Hamilton, chairman of the board of the International Biometric Industry Association, highlighted an ongoing issue – whether to allow reading of the PIV cards’ biometric fingerprint data via the contactless interface, or to continue to require the use of contact readers and PIN Numbers when accessing the biometric data.
The issue is an especially large source of contention for the maritime industry’s Transportation Worker Identification Credential (TWIC) that are used in ports. Maritime professionals are concerned that the PIV standard will not work in the maritime environment because of throughput, forgotten PINs, and the need for outdoor readers that should be sealed against the effects of weather and airborne dust.
“The current implementation of biometrics in FIPS 201 in general raises some issues of specific restrictions of the PIV card itself when used for biometric authentication,” says Mr. Hamilton. “The issues currently relate to the physical access applications, where you need to move volumes of people. Entering a pin number seems to us to be overkill and an unnecessary inconvenience when you have strong biometric authentication.”
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.