Modernizing Authentication — What It Takes to Transform Secure Access
U.S. Commerce Secretary Carlos M. Gutierrez issued new standards Friday for government-issued smart cards specifying the technical and operational requirements to meet President Bush's mandate for standard federal ID credentials.
The standards call for all federal agencies and their contractors to be issued a credit card sized ID that contains a PIN number, digital photograph and two digitally stored fingerprints.
Gutierrez also announced all federal agencies have until October to meet the first part of the Personal Identity Verification (PIV) standard, which sets the minimum requirements needed to meet the presidential directive.
The standards are contained in three technical publications that outline several aspects of the required administrative procedures and technical specifications that are expected to change as the standard is implemented and used.
The first publication, Integrated Circuit Card for Personal Identity Verification, specifies the interface and data elements of the PIV card. The second, Biometric Data Specification for Personal Identity Verification, addresses the technical acquisition and formatting requirements for the biometric data of the PIV system.
The third document, Recommendations for Cryptographic Algorithms and Key Sizes, specifies the acceptable cryptographic algorithms and key sizes to be implemented and used for the PIV system.
In addition, guidelines and recommendations have been identified as still being needed to implement the PIV system, including the protection of the personal privacy of federal employees and authentication procedures. According to the Commerce Department, these activities will be pursued as resources permit.
"Protecting federal facilities, systems and the employees who have access to them is of vital importance to this administration," said Gutierrez.
Currently, the government uses a wide range of ID mechanisms to authenticate identity. For physical access, use of paper or other non-automated, hard-carried credentials, such as driver's licenses and badges, are traditionally used. Access authorization to computers and data has traditionally been authenticated through user-selected passwords.
More recently, cryptographic mechanisms and biometric techniques have been used in physical and logical security applications, replacing or supplementing the traditional credentials.
"This [new] standard defines authentication mechanisms offering varying degrees of security. Federal departments and agencies will determine the level of security and authentication mechanisms appropriate for their applications," the standards report states. "This standard does not specify access control policies or requirements for federal departments and agencies. Therefore, the scope of this standard is limited to authentication of an individual's identity. Access authorization decisions are outside the scope of this standard."