NIST Wants to Make PIV Cards Work for Smartphones in Two Years

Dilen/Shutterstock.com

The effort mirrors a Pentagon plan to improve identity verification on mobile devices.

The government’s cybersecurity standards agency will launch a process this year to make it easier to verify government employees’ identities when they access government data on mobile devices.

The updated standards for civilian government personal identity verification, or PIV, cards will focus on using the PIV card, as a launching point for verifying identity on smartphones and other devices that are far afield from the desktop computers PIV cards were first used for in the early 2000s, said Matthew Scholl, division chief of the computer security division at the Commerce Department’s National Institute of Standards and Technology.

For example, an employee might use a PIV card to access information on a government computer and then use a special credential from the PIV card to authorize access to that information on a mobile device, Scholl told reporters after a NIST advisory board meeting Friday.

“You can’t stick a PIV card into this thing,” Scholl said, gesturing to a smartphone’s power and headphone outlet. “So how do we get a similarly strong identity credential but on a form factor that’s not PIV-friendly?”

The project, which will launch this year, was sparked in part by a major White House directive in April that required federal agencies to update how they verify employees’ identities, Scholl said.

That order required agencies to update their identity verification practices to match the current cyber threat from nation-state and criminal hackers and to make identity verification programs more adaptable to new and improved consumer software.

The project could last two years or longer before NIST issues updated standards, Scholl said.

NIST is working closely with the Pentagon, which is in the process of updating its own version of PIV, the common access card, or CAC card, Scholl said.

The Defense Information Systems Agency is also on a two-year schedule and hopes to integrate CAC credentials directly into smartphones, a technical director Steve Wallace said in May.

DISA is considering looking at using characteristics that are unique to individuals to verify identity, such as the hand pressure and wrist tension when the person holds a smartphone and the person’s peculiar gait while walking, Wallace said.