NIST creates new challenges for HSPD-12 access systems

SP800-116 defines PIV credentials in the physical access control system

Change the way you think about factors of authentication

Woven throughout the SP800-116 document is the concept of authentication factors. Generally speaking there are three factors - something you have (card), something you know (PIN), and something you are (measured by a biometric). However, SP800-116 points out that if the authentication factor cannot be validated by a trusted authority, it cannot be considered in supporting a graduated scale of increasing levels of confidence in the cardholder identity. For instance, if the card is not authenticated by a digital signature then there is no confidence that it is not a forgery, and therefore any data from the card (FASC-N) or authenticated by the card (PIN) is questionable. By this reasoning, use of FASC-N without a CHUID signature check does not count as even a single authentication factor.

SP800-116 recommends use of asymmetric Card Authentication Key (CAK) for single factor authentication. CAK is available through the contact or contactless interface. Asymmetric key use requires interfacing with an external authority (download PDF showing assymetric key usage for PIV card implementations). Two-factor authentication requires entering a PIN in addition to presentation of the card. PIN validation is only available through the contact interface. Three-factor authentication uses the card, PIN and a biometric (from the card or from an external trusted source) and requires the contact interface.

Measuring progress on the path to implementation

The new recommendations from NIST are not yet part of the standard. Therefore, they have included in the document a means to measure how well an agency or a facility is progressing along the path to a full PIV implementation. NIST calls this the PIV Implementation Maturity Model (PIMM). There are five defined levels that range from Ad Hoc verification of PIV credentials mixed with legacy systems and badges to a future that entails the PIV card as the only credential that a federal employee or contractor carries and is the only credential accepted for access to controlled areas.

Meeting the challenges of complete implementation

The PIV vision is a credential that is issued to all federal government employees and contractors by their respective agencies, and that those agencies have reciprocal trust in other agencies' ability to vet employees and produce and issue a compliant credential. The vision is that such a credential be the sole identifier required for these users for physical as well as logical access to controlled areas or information.

NIST provides a number of qualities of the complete implementation of the PIV vision.

1. PIV authentication mechanisms are used wherever they are applicable, in accordance with HSPD-12 and FIPS 201.

2. Electronic authentication (as opposed to visual authentication, flash pass) is the common practice.

3. Electronic validation of the PIV card is done at or near the time of authentication.

4. All PIV card access control decisions are made by comparing an initial string of the FASC-N Identifier against the ACL entries.

5. PIV authentication mechanisms are applied based on the impact assessed for the area.

6. Cryptographic and biometric authentications are applied widely in moderate- and high-impact (FIPS199) areas.

7. Agencies exhibit reciprocal trust in the process assurance of PIV issuers.

8. Both new and upgraded PACS applications accept PIV cards as proof of identity for user registration/provisioning, user authentication, or both.

However, this poses a number of challenges for agencies that are struggling to meet basic requirements of using the PIV card. The most basic requirement that all of these qualities is built upon is the development of a risk-based impact assessment for the facility. This assessment will define the areas that SP800-116 designates as "unrestricted," "controlled," "limited," and "exclusion." The risk-based analysis of the assets to be protected will help facility security managers define the level of authentication (one-, two- or three-factor) that will be required to gain access to these facilities or areas.