Read time: 7 minutes
Personal Identity Verification (PIV) is a NIST FIPS 201-2 security standard that establishes a framework for multi-factor authentication (MFA) using a smartcard. In simple words, PIV (Personal Identity Verification) can be stated as a multi-factor authentication solution that covers the entire identity lifecycle from identity proofing to secure credential issuance, physical access, and secure credential expiration.
In a single line, Personal Identity Verification is an identity management framework.
The United States federal government ordered the production of a common identity credential in 2004. It was originally designed only for US federal government but is now widely used in commercial applications. The reason behind its widespread usage is the standard’s high-assurance identity proofing and ability to use multi-factor authentication for security purposes such as preventing fraud, improving privacy, etc.
PIV Key Features
PIV is an excellent choice for businesses that must adhere to government regulations or work in highly regulated areas.
- Identity proofing
- Lifecycle management
- Advanced Use cases
- Physical/ IT System Access
Personal Identity Verification (PIV) Card
A personal identity verification (PIV) card is a smart card issued by the United States government that contains the information needed to provide access to federal facilities and information systems and ensure acceptable levels of security for all federal applications.A personal identification verification card has unique technologies that security reader systems can use for various purposes. FIPS establishes precise standards for these cards, including cryptographic methods to encrypt sensitive data and types of security, such as passwords and biometrics systems, to validate cardholders’ identities. Other characteristics, such as four mandatory cryptographic keys and key sizes, are also specified in the PIV card guidelines.
PIV Card Features
PIV card encrypts data and validates identity to ensure
- IntegrityIt means only the card owner can change the data present inside the card.
- ConfidentialityIt represents only the cardholder can read and access the data present on the card.
- AuthenticityIt guarantee’s the source of data present.
- Non-RepudiationIt means there can’t be any false data.
With the PIV card, you may be more confident that all electronic communications, data storage, and retrieval will be more secured.
Information Stored in PIV Card
A PIV Card Application must include seven mandatory interoperable data elements and two conditionally obligatory data objects.Seven Mandatory elements consist of:
- Card Capability Container
- Card Holder Unique Identifier
- X.509 Certificate for PIV Authentication
- X.509 Certificate for Card Authentication
- Cardholder Fingerprints
- Cardholder Facial Image
- Security Object
Whereas, If the cardholder possesses a government-issued email account at the time of credential issuance, two data objects are required:
- X.509 Certificate for Digital Signature
- X.509 Certificate for Key Management
PIV Authentication Mechanisms
The primary objective of the PIV Card is to verify the cardholder’s identity with a system or person in charge of regulating access to a protected resource or facility. Various combinations of one or more of the validation processes outlined below may be used to achieve this aim.
This is the procedure for ensuring that a PIV Card is genuine. Card validation mechanisms include:
- visual inspection of the PIV Card’s tamper-proofing and tamper-resistant characteristics
- use of cryptographic challenge-response schemes with symmetric keys and,
- use asymmetric authentication schemes to validate private keys embedded within the PIV Card.
This is the procedure for authenticating the PIV Card’s numerous forms of credentials. Credential Validation mechanisms include:
- visual inspection of PIV Card visual elements
- verification of certificates on the PIV Card
- verification of signatures on the PIV biometrics
- Checking the expiration date and revocation status of the credentials on the PIV Card.
This is the procedure for confirming that the PIV card is in possession of the person it was issued. Cardholder Validation mechanisms include:
- presentation of a PIV Card by the cardholder
- matching the visual characteristics of the cardholder with the photo on the PIV Card
- matching the PIN provided with the PIN on the PIV Card and,
- matching the live fingerprint samples provided by the cardholder with the biometric information embedded within the PIV Card.
Two additional credentials have been defined to take advantage of the infrastructure created by the Federal government’s PIV program, but neither has received significant adoption.
PIV-I: (Personal Identity Verification – Interoperability)
It is a version of PIV with the same criteria as PIV. The US federal government needed a way to handle the identities and access of guest users, so it was proposed to be created.
- Unlike PIV, no background checks are required, which directly impacts the level of suitability for access.
- Follows Federal Bridge cross-certification certificate policies.
- Origin: Federal CIO Council.
CIV: (Commercial Identity Verification)
CIV is a different protocol based on the PIV architecture, with the main distinction being that the standards are less stringent.
- Follows the issuing organization’s policies.
- Trusted credentials only within the issuing organization.
- Origin: Smart Card Alliance Access Control Council
Personal Identity Verification (PIV) is a framework which is used to validate the identity. It was designed earlier for US federal government but is used widely now-a-days. The key features of PIV include identity proofing, lifecycle management and many more. PIV card is a smart card issued by US federal govt. which is used for validation purposes. It consists of many features such as confidentiality, integrity, non-repudiation etc. Basic personal Information are being stored in PIV Card. To protect PIV card various authentication mechanisms are used namely Card Validation, Credential Validation and Cardholder Validation. Though, with increasing use cases, new alternates of PIV are being discovered namely PIV-I and CIV which are yet to be widely recognized.