Personal identity verification cards required for all federal employees and contractors will now be easier to use and more secure thanks to new draft standards just released by National Institute of Standards and Technology.

The changes incorporate the latest round of comments and revisions aimed at updating the original 2005 standard. “In 2011, we had our first draft,” said Hildegard Ferraiolo, a computer scientist with NIST. “We got about 1200 comments.”

Many of those comments requested changes that would make the cards more flexible for users, yet still maintain the necessary security. Approval of many of the requests are reflected in new or updated standards in this second draft, and they will go into effect once the draft is finalized.

One group of comments focused on the existing requirement that, for physical entry to a building, all cards had to be inserted into a reader. Instead, commentators wanted to be able to simply hold their card in front of a reader which would confirm the photo image on the card and allow entry into the building. Another suggestion was to have the card readers also be used to confirm fingerprints on the card, depending upon agency requirements.

The new draft standards will allow this “contactless” or “virtual contact interface,” also known as “tap and go,” by means of a secure network channel intended to protect the card data and the authentication procedure.

Others providing comments wanted their PIV cards to “enable” mobile devices. This new capability doesn’t involve any direct contact between a card and a mobile device gadget.
Instead, “the cardholder brings the card to the agency’s smartphone provisioning system,” Ferraiolo said. There, the card is authenticated, and a secure credential is “issued to the smartphone, where it can be used for access to mobile services or agency apps,” she said.

Other changes in the draft address comments deal with card account maintenance. Currently, to reset a card’s PIN, “the card owner had to go in person to the issuer,” Ferraiolo said. “People wanted a remote capability to re-set the PIN.” That will now be allowed.

Another maintenance issue concerned updating identity credentials that expired before the card itself did. As with changing PINs, updating those credentials has required in-person visits by cardholders to the issuing authority.

Once the new draft standards are finalized, cardholders will be able to remotely update their credentials, assuming there have been no changes such as a new name because of marriage or divorce or a change in status such as from contractor to civil servant.

Card security will be enhanced by the replacement of the authentication piece of one type of electronic credential, called the cardholder unique identifier, or CHUID, with a new one. “CHUID was used mostly for physical access to buildings,” Ferraiolo said. “The new credential will be ‘tap and go.’ The new credential was optional. Now it’s mandatory and provides more assurance of identity than CHUID.” The CHUID data piece is still mandatory.

Because no one wants agencies to have to replace cards wholesale, “there will be a graceful change,” Ferraiolo said. “Agencies have 12 months to comply, and this has been coordinated with OMB.” Once the 12 month period is up, new cards must be issued with all the changes incorporated.

However, any cards issued with the old credentials at any time during the 12 month grace period, even the day before it ends, will not need to be replaced until they “expire naturally,” Ferraiolo said. Agencies are free, of course, to implement the changes for new cards as soon as they wish any time within the 12 months.

“The cards will have more options to use credentials through virtual interfaces, and they will be more secure because of the CHUID replacement,” Ferraiolo said.

Personal Identity Verification (PIV) of Federal Employees and Contractors-FIPS PUB 201-2 is available for review. Comments on this draft must be received by August 12, and they should be sent to piv_comments@nist.gov.