Security News

The Seamless Framework For Personal Identity Verification

Last updated on

Read time: 7 minutes

Personal Identity Verification (PIV) is a NIST FIPS 201-2 security standard that establishes a framework for multi-factor authentication (MFA) using a smartcard. In simple words, PIV (Personal Identity Verification) can be stated as a multi-factor authentication solution that covers the entire identity lifecycle from identity proofing to secure credential issuance, physical access, and secure credential expiration.

In a single line, Personal Identity Verification is an identity management framework.

History

The United States federal government ordered the production of a common identity credential in 2004. It was originally designed only for US federal government but is now widely used in commercial applications. The reason behind its widespread usage is the standard’s high-assurance identity proofing and ability to use multi-factor authentication for security purposes such as preventing fraud, improving privacy, etc.

PIV Key Features

PIV is an excellent choice for businesses that must adhere to government regulations or work in highly regulated areas.

  • Identity proofing
  • Lifecycle management
  • Advanced Use cases
  • Physical/ IT System Access

Personal Identity Verification (PIV) Card

A personal identity verification (PIV) card is a smart card issued by the United States government that contains the information needed to provide access to federal facilities and information systems and ensure acceptable levels of security for all federal applications.A personal identification verification card has unique technologies that security reader systems can use for various purposes. FIPS establishes precise standards for these cards, including cryptographic methods to encrypt sensitive data and types of security, such as passwords and biometrics systems, to validate cardholders’ identities. Other characteristics, such as four mandatory cryptographic keys and key sizes, are also specified in the PIV card guidelines.

PIV Card Features

PIV card encrypts data and validates identity to ensure

  1. Integrity: It means only the card owner can change the data present inside the card.
  2. Confidentiality: It represents only the cardholder can read and access the data present on the card.
  3. Authenticity: It guarantee’s the source of data present.
  4. Non-Repudiation: It means there can’t be any false data.

With the PIV card, you may be more confident that all electronic communications, data storage, and retrieval will be more secured.

Information Stored in PIV Card

A PIV Card Application must include seven mandatory interoperable data elements and two conditionally obligatory data objects.Seven Mandatory elements consist of:

  • Card Capability Container
  • Card Holder Unique Identifier
  • X.509 Certificate  for PIV Authentication
  • X.509 Certificate for Card Authentication
  • Cardholder Fingerprints
  • Cardholder Facial Image
  • Security Object

Whereas, If the cardholder possesses a government-issued email account at the time of credential issuance, two data objects are required:

  • X.509 Certificate for Digital Signature
  • X.509 Certificate for Key Management

PIV Authentication Mechanisms

The primary objective of the PIV Card is to verify the cardholder’s identity with a system or person in charge of regulating access to a protected resource or facility. Various combinations of one or more of the validation processes outlined below may be used to achieve this aim.

Card Validation

This is the procedure for ensuring that a PIV Card is genuine. Card validation mechanisms include:

  • visual inspection of the PIV Card’s tamper-proofing and tamper-resistant characteristics
  • use of cryptographic challenge-response schemes with symmetric keys and,
  • use asymmetric authentication schemes to validate private keys embedded within the PIV Card.

Credential Validation

This is the procedure for authenticating the PIV Card’s numerous forms of credentials. Credential Validation mechanisms include:

  • visual inspection of PIV Card visual elements
  • verification of certificates on the PIV Card
  • verification of signatures on the PIV biometrics
  • Checking the expiration date and revocation status of the credentials on the PIV Card.

Cardholder Validation

This is the procedure for confirming that the PIV card is in possession of the person it was issued. Cardholder Validation mechanisms include:

  • presentation of a PIV Card by the cardholder
  • matching the visual characteristics of the cardholder with the photo on the PIV Card
  • matching the PIN provided with the PIN on the PIV Card and,
  • matching the live fingerprint samples provided by the cardholder with the biometric information embedded within the PIV Card.

Alternative Options

Two additional credentials have been defined to take advantage of the infrastructure created by the Federal government’s PIV program, but neither has received significant adoption.

PIV-I: (Personal Identity Verification – Interoperability)

It is a version of PIV with the same criteria as PIV. The US federal government needed a way to handle the identities and access of guest users, so it was proposed to be created.

  • Unlike PIV, no background checks are required, which directly impacts the level of suitability for access.
  • Follows Federal Bridge cross-certification certificate policies.
  • Origin: Federal CIO Council.

CIV: (Commercial Identity Verification)

CIV is a different protocol based on the PIV architecture, with the main distinction being that the standards are less stringent.

  • Follows the issuing organization’s policies.
  • Trusted credentials only within the issuing organization.
  • Origin: Smart Card Alliance Access Control Council

Conclusion

Personal Identity Verification (PIV) is a framework which is used to validate the identity. It was designed earlier for US federal government but is used widely now-a-days. The key features of PIV include identity proofing, lifecycle management and many more. PIV card is a smart card issued by US federal govt. which is used for validation purposes. It consists of many features such as confidentiality, integrity, non-repudiation etc. Basic personal Information are being stored in PIV Card. To protect PIV card various authentication mechanisms are used namely Card Validation, Credential Validation and Cardholder Validation. Though, with increasing use cases, new alternates of PIV are being discovered namely PIV-I and CIV which are yet to be widely recognized.

References

nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-73-4.pdf

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

About the Author

Yathaarth Swaroop is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

You might also be interested in

Why You Need To Enable Secure Boot In Your PC Right Now?
Why You Need To Enable Secure Boot In Your PC Right Now? November 13, 2021
From 398 Days to 90 Days: Google’s Proposal to Shorten TLS Certificate Validity – How Prepared Are You?
From 398 Days to 90 Days: Google’s Proposal to Shorten TLS Certificate Validity – How Prepared Are You? May 18, 2023
The Microsoft Signed Rootkit Malware That Can Decrypt All Encrypted Communications
The Microsoft Signed Rootkit Malware That Can Decrypt All Encrypted Communications September 12, 2022
Securely upgrade to Vormetric Data Security Manage and seamlessly migrate to CipherTrust Manager
Securely upgrade to Vormetric Data Security Manage and seamlessly migrate to CipherTrust Manager July 2, 2022

Explore More Topics

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo