NIST verifies wireless PIV technology
- By Dan Campbell
- Apr 08, 2008
Scientists at the National Institute of Standards and Technology have verified
that fingerprint identification technology for use in Personal Identification Verification (PIV) cards meets NIST standards for security, data transfer speed and accuracy.
The technology improves the process of authenticating the identity of federal employees who access a biometrically controlled facility by eliminating the need for the employees to insert PIV cards into a card reader. The new approach uses a match-on-card technique that allows the biometric data to be read and verified wirelessly.
'The work that was done was to show that you can cryptographically secure a wireless transmission, which is not necessary with contact cards,' said Patrick Grother, a NIST scientist who worked on the accuracy measurement portion of the studies.
In its recent work NIST considered match-on-card technologies in which fingerprint data is wirelessly transferred from the reader to the card for matching. This method ' which helps avoid identity theft in the event of a lost or stolen card ' differs from existing PIV specifications which move data from the biometric card to the fingerprint reader for wireless verification.
NIST used two criteria for acceptance: first, to ensure that the wireless transaction was secure and could be completed within 2.5 seconds and, second, to ensure that the match-on-card verification error rate was consistent with the current match-off-card methods.
Several types of cards met NIST's requirements by performing the encryption-data transfer-decryption process within the specified time. There were mixed results on the accuracy tests with a portion of the smart cards meeting the requirements. More tests are pending.
A simple benefit of the system is the lifespan of the biometric cards. The swipe process can 'cause contact cards to wear out, whereas wireless cards avoid that issue,' said Grother. 'Contactless is preferred by many in the industry, but if you do wireless you might have to secure the wireless communications. It's all about technical trade-offs.'
Additionally, some find the process of inputting a personal identification number cumbersome. This is no more apparent than when someone forgets their PIN, which delays their entry to a facility.
Existing PIV systems were developed to meet Homeland Security Department Presidential Directive 12 (HSPD-12
) issued in August 2004 requiring a governmentwide standard for secure and reliable forms of identification issued by the federal government to its employees and contractors. The directive calls for the identification to be 'strongly resistant to identity fraud' and must be rapidly authenticated electronically, and to protect personal privacy.
In response to HSPD-12, NIST developed the Federal Information Processing Standard 201, which specifies the PIV requirements for federal employees and contractors.
Grother cautions that the testing is 'just the technical feasibility' of satisfying HSPD-12 while complying with FIPS 201. 'It is one necessary component, but there are institutional, bureaucratic and procedural steps as well.'
'FIPS 201 is the NIST standard. To do match-on-card you would have to change FIPS 201, which requires consultation across the government. That will take time and will be carefully deliberated.'
Dan Campbell is a freelance writer with Government Computer News and the president of Millennia Systems Inc.