NIST's NextGen PIV Card Strengthens Security and Authentication

The National Institute of Standards and Technology (NIST) has updated its technical specifications and guidance for the next generation of "smart" identity cards used by the federal government's workforce. The new specifications add enhanced security features to verify employees' and contractors' identities, as well as new capabilities that work with mobile devices and media such as smart phones.

Federal employees and contractors use Personal Identification Verification (PIV) Cards for secure access to government facilities and computers. The PIV Card features a microchip with the employee's photo, PIN, fingerprint information and other details.

The next generation PIV Card can be used with mobile devices, enabling federal employees to connect securely to government computer networks from such devices. This feature is in addition to the Derived PIV Credential as specified in Guidelines for Derived Personal Identity Verification (PIV) Credentials, issued in December 2014. The card provides stronger identity assurance for federal workers to enter many government facilities and use computers at those locations.

The revised Federal Information Processing Standard 201-2 of 2013 sets the stage for the new generation of PIV Cards by specifying new technologies for the strong authentication credential and provides enhanced support for mobile devices based on lessons learned from federal agencies.

NIST has issued updates to two key documents that lay out the technical details identified in FIPS 201-2 for government PIV Cards:

• Interfaces for Personal Identity Verification (Special Publication 800-73-4), governs the PIV Card's credentials: how the credentials are stored on the PIV Card and how to retrieve and check them. The update provides additional ways to authenticate, or prove, the cardholder's identity. One method, called on-card biometric comparison, helps preserve a cardholder's privacy because the individual's fingerprint data never leave the card. A new specification protects wireless communications between the PIV Card and mobile device when the cardholder uses authentication, signature or encryption services with a mobile device. Another new security feature prevents a cardholder from changing the PIN to one that is too short.
• The revised publication, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (Special Publication 800-78-4), provides the technical cryptographic details needed to maintain the security of the next-generation PIV Card.

The publications are designed for U.S. government agencies to upgrade their PIV Cards, for vendors that make the cards, and for vendors that develop hardware and software to work with the cards.