NIST Updates Specs for Mobile PIV Card Authentication

The National Institute of Standards and Technology is attempting to make the personal identification cards that let federal employees access facilities or computers more secure. 

Last week, NIST released a new set of specifications for Personal Identity Verification cards that could help federal employees access federal networks from mobile devices, among other new features. NIST has released a series of specifications over the past few months, intended both for the agencies considering updating, as well as vendors who make the cards and associated scanning hardware. 

NIST outlined guidelines for secure communication between the PIV card and mobile devices, Hildegard Ferraiolo, NIST computer scientist and one of the publication's authors, told Nextgov. With an upgraded system, the cardholder could use email sign-ins and email encryption on mobile devices outside of federal facilities. 

Traditional PIV systems have "previously been prohibitive or restrictive," Ferraiolo said.

"Email sign-in and encryption, and also certain types of authentication, was only possible by inserting the card so you have a [connection] to your system," she said. "Now, those functions can be done directly between the card and the mobile device."

That protocol would also protect the card-device connection so "if somebody is trying to listen into that conversation . . . they can't figure out what it is," she added. 

The specifications also outline a system that would store a card-holder's fingerprints on the card itself; a cardholder might scan his or her fingerprint on a reader, but the reader would compare the scanned fingerprint to what's stored on the card, potentially preserving the cardholder's privacy, Ferraiolo said.

These new specifications are optional for departments and agencies, she said.

"The new optional capabilities have nothing to do with compliance. . . but it's a question of when the cards are on the approved products list," Ferraiolo added.

Though the specifications are out, she said, the new systems still need to undergo testing within NIST labs, among other groups -- so it's unclear when agencies could start adopting them. 

(Image via Andrey_Popov/ Shutterstock.com)