Security News Reading Time: 7 minutes

The Seamless Framework For Personal Identity Verification

Personal Identity Verification (PIV) is a NIST FIPS 201-2 security standard that establishes a framework for multi-factor authentication (MFA) using a smartcard. In simple words, PIV (Personal Identity Verification) can be stated as a multi-factor authentication solution that covers the entire identity lifecycle from identity proofing to secure credential issuance, physical access, and secure credential expiration.

In a single line, Personal Identity Verification is an identity management framework.

History

The United States federal government ordered the production of a common identity credential in 2004. It was originally designed only for US federal government but is now widely used in commercial applications. The reason behind its widespread usage is the standard’s high-assurance identity proofing and ability to use multi-factor authentication for security purposes such as preventing fraud, improving privacy, etc.

PIV Key Features

PIV is an excellent choice for businesses that must adhere to government regulations or work in highly regulated areas.

  • Identity proofing
  • Lifecycle management
  • Advanced Use cases
  • Physical/ IT System Access

Personal Identity Verification (PIV) Card

A personal identity verification (PIV) card is a smart card issued by the United States government that contains the information needed to provide access to federal facilities and information systems and ensure acceptable levels of security for all federal applications.A personal identification verification card has unique technologies that security reader systems can use for various purposes. FIPS establishes precise standards for these cards, including cryptographic methods to encrypt sensitive data and types of security, such as passwords and biometrics systems, to validate cardholders’ identities. Other characteristics, such as four mandatory cryptographic keys and key sizes, are also specified in the PIV card guidelines.

PIV Card Features

PIV card encrypts data and validates identity to ensure

  1. Integrity: It means only the card owner can change the data present inside the card.
  2. Confidentiality: It represents only the cardholder can read and access the data present on the card.
  3. Authenticity: It guarantee’s the source of data present.
  4. Non-Repudiation: It means there can’t be any false data.

With the PIV card, you may be more confident that all electronic communications, data storage, and retrieval will be more secured.

Information Stored in PIV Card

A PIV Card Application must include seven mandatory interoperable data elements and two conditionally obligatory data objects.Seven Mandatory elements consist of:

  • Card Capability Container
  • Card Holder Unique Identifier
  • X.509 Certificate  for PIV Authentication
  • X.509 Certificate for Card Authentication
  • Cardholder Fingerprints
  • Cardholder Facial Image
  • Security Object

Whereas, If the cardholder possesses a government-issued email account at the time of credential issuance, two data objects are required:

  • X.509 Certificate for Digital Signature
  • X.509 Certificate for Key Management

PIV Authentication Mechanisms

The primary objective of the PIV Card is to verify the cardholder’s identity with a system or person in charge of regulating access to a protected resource or facility. Various combinations of one or more of the validation processes outlined below may be used to achieve this aim.

Card Validation

This is the procedure for ensuring that a PIV Card is genuine. Card validation mechanisms include:

  • visual inspection of the PIV Card’s tamper-proofing and tamper-resistant characteristics
  • use of cryptographic challenge-response schemes with symmetric keys and,
  • use asymmetric authentication schemes to validate private keys embedded within the PIV Card.

Credential Validation

This is the procedure for authenticating the PIV Card’s numerous forms of credentials. Credential Validation mechanisms include:

  • visual inspection of PIV Card visual elements
  • verification of certificates on the PIV Card
  • verification of signatures on the PIV biometrics
  • Checking the expiration date and revocation status of the credentials on the PIV Card.

Cardholder Validation

This is the procedure for confirming that the PIV card is in possession of the person it was issued. Cardholder Validation mechanisms include:

  • presentation of a PIV Card by the cardholder
  • matching the visual characteristics of the cardholder with the photo on the PIV Card
  • matching the PIN provided with the PIN on the PIV Card and,
  • matching the live fingerprint samples provided by the cardholder with the biometric information embedded within the PIV Card.

Alternative Options

Two additional credentials have been defined to take advantage of the infrastructure created by the Federal government’s PIV program, but neither has received significant adoption.

PIV-I: (Personal Identity Verification – Interoperability)

It is a version of PIV with the same criteria as PIV. The US federal government needed a way to handle the identities and access of guest users, so it was proposed to be created.

  • Unlike PIV, no background checks are required, which directly impacts the level of suitability for access.
  • Follows Federal Bridge cross-certification certificate policies.
  • Origin: Federal CIO Council.

CIV: (Commercial Identity Verification)

CIV is a different protocol based on the PIV architecture, with the main distinction being that the standards are less stringent.

  • Follows the issuing organization’s policies.
  • Trusted credentials only within the issuing organization.
  • Origin: Smart Card Alliance Access Control Council

Conclusion

Personal Identity Verification (PIV) is a framework which is used to validate the identity. It was designed earlier for US federal government but is used widely now-a-days. The key features of PIV include identity proofing, lifecycle management and many more. PIV card is a smart card issued by US federal govt. which is used for validation purposes. It consists of many features such as confidentiality, integrity, non-repudiation etc. Basic personal Information are being stored in PIV Card. To protect PIV card various authentication mechanisms are used namely Card Validation, Credential Validation and Cardholder Validation. Though, with increasing use cases, new alternates of PIV are being discovered namely PIV-I and CIV which are yet to be widely recognized.

References

nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-73-4.pdf

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

About the Author

Manimit Haldar's profile picture

Manimit Haldar is a Cyber Security Consultant with a passion for automation at Encryption Consulting. He bridges the gap between traditional security and cutting-edge technologies by leveraging his expertise in Artificial Intelligence (AI), Machine Learning (ML), and software development. Manimit strengthens client security by implementing robust solutions like PKI (Public Key Infrastructure) and automates processes with AI/ML for anomaly detection and threat analysis. His programming skills and knowledge of CLM (Certificate Lifecycle Management) ensure proper handling of digital certificates, further solidifying client security.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo